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Abstract.  A  hierarchy  of  models  that  capture  realistic  aspects  of  reactive,  real- 
time,  and  hybrid  systems  is  introduced.  On  the  most  abstract  level,  the  qualitative 
(non-quantitative)  model  of  reactive  systems  captures  the  temporal  precedence  as¬ 
pect  of  time.  A  more  refined  model  is  that  of  real  time  systems,  which  represents 
the  metric  aspect  of  time.  The  third  and  most  detailed  model  is  that  of  hybrid 
systems ,  which  allows  the  incorporation  of  continuous  components  into  a  reactive 
system. 

For  each  of  the  three  levels,  we  present  a  computational  model,  a  requirement 
specification  language  based  on  extensions  of  temporal  logic,  system  description 
languages  based  on  Statecharts  and  a  textual  programming  language,  proof  rules 
for  proving  validity  of  properties,  and  example^  of  such  proofs. 
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Abstract.  A  hierarchy  of  models  that  capture  realistic  aspects  of  reactive,  real¬ 
time,  and  hybrid  systems  is  introduced.  On  the  most  abstract  level,  the  qualitative 
(non-quantitative)  model  of  reactive  systems  captures  the  temporal  precedence  as¬ 
pect  of  time.  A  more  refined  model  is  that  of  real-time  systems,  which  represents 
the  metric  aspect  of  time.  The  third  and  most  detailed  model  is  that  of  hybrid 
systems,  which  allows  the  incorporation  of  continuous  components  into  a  reactive 
system. 

For  each  of  the  three  levels,  we  present  a  computational  model,  a  requirement 
specification  language  based  on  extensions  of  temporal  logic,  system  description 
languages  based  on  Statecharts  and  a  textual  programming  language,  proof  rules 
for  proving  validity  of  properties,  and  examples  of  such  proofs. 
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1  Introduction 

As  our  ability  to  specify  and  develop  programs  for  reactive  systems  increases,  there  is  a 
growing  interest  in  the  representation  of  more  realistic  features  of  such  systems  in  the 
formal  models  and  languages  used  for  their  specification,  verification,  and  development 

As  is  the  case  with  the  application  of  mathematics  to  other  scientific  and  engineering 
disciplines,  no  single  model  can  fully  capture  the  physical  phenomenon  under  study.  In¬ 
stead,  we  construct  a  hierarchy  of  models,  each  refining  (but  not  necessarily  invalidating) 
its  predecessor  by  the  inclusion  of  additional  details. 

A  good  example  of  the  efficient  utilization  of  a  hierarchy  of  models  can  be  found  in 
hardware  design,  where  the  orderly  development  of  a  large  circuit  may  proceed  through 
several  stages,  starting  at  a  functional  system  specification  and  proceeding  through  regis¬ 
ter  transfer  description,  gate  level  description,  device  level  representation,  layout  design, 
and  so  on.  Each  of  those  descriptions  adds  more  details  to  its  predecessor  but  is  consis¬ 
tent  with  it,  and  in  many  cases  is  even  derived  from  the  previous  stage.  Some  interesting 
approaches  even  propose  multi-level  simulation  and  analysis  in  which  different  parts  of 
the  same  system  are  represented  at  different  levels  of  detail. 

Following  this  approach,  this  paper  presents  a  hierarchy  of  three  models  for  the  spec¬ 
ification  and  verification  of  reactive  systems: 

•  A  reactive  systems  model  that  captures  the  qualitative  (non-quantitative)  temporal 
precedence  aspect  of  time.  This  model  can  only  identify  that  one  event  precedes 
another  but  not  by  how  much. 

•  A  real-time  systems  model  that  captures  the  metric  aspect  of  time  in  a  reactive 
system.  This  model  can  measure  the  time  elapsing  between  two  events. 

•  A  hybrid  systems  model  that  allows  the  inclusion  of  continuous  components  in 
a  reactive  real-time  system.  Such  continuous  components  may  cause  continuous 
change  in  the  values  of  some  state  variables  according  to  some  physical  or  cont  rol 
law. 

For  each  of  these  levels  of  description,  the  paper  provides: 
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•  A  computational  model  defining  the  set  of  behaviors  (computations)  that  are  to  be 
associated  with  systems  in  the  considered  model 

•  A  requirement  specification  language  for  specifying  properties  of  systems  within  the 
model.  The  languages  we  will  consider  are  all  variants  of  temporal  logic  extended 
to  deal  with  the  new  aspects  included  in  the  model. 

•  A  system  description  language  for  describing  systems  within  the  model.  We  will  use 
both  a  textual  programming  language  and  appropriate  extensions  of  the  graphical 
language  of  statecharts  [Har87j  to  present  systems. 

•  A  set  of  proof  rules  by  which  valid  properties  of  systems  can  be  verified,  showing 
that  the  systems  satisfy  their  specifications. 

•  Examples  illustrating  the  use  of  the  presented  proof  rules  for  the  verification  of 
properties. 

While  the  qualitative  model  is  well  established  and  has  been  in  use  for  several  years 
now  (e.g.,  [MP91b]),  the  real-time  model  presented  here  represents  work  in  progress,  and 
research  on  the  hybrid  model  has  just  started. 

Excerpts  of  this  paper  have  been  presented  in  a  preliminary  form  in  MP92a)  and 
[MP92bJ. 


2  Reactive  Systems 

The  qualitative  model  of  reactive  systems  uses  an  abstract  notion  of  time,  based  on  the 
ordering  of  events  during  an  observed  computation.  This  is  the  main  model  used,  for 
example,  in  [MP91bj. 


2.1  Computational  Model:  Fair  Transition  System 

The  computational  model  for  the  qualitative  level  is  that  of  fair  transition  systems.  Such 
a  system  consists  of  the  following  components. 


V  —  .  A  finite  set  of  state  variables.  Some  of  these  variables  repre¬ 

sent  data  variables,  which  are  explicitly  manipulated  by  the  program  text  Other 
variables  are  control  variables,  which  represent,  for  example,  the  location  of  control 
in  each  of  the  processes  in  a  concurrent  program.  We  assume  each  variable  to  be 
associated  with  a  domain  over  which  it  ranges. 

We  define  a  state  s  to  be  a  type  consistent  interpretation  of  V’,  assigning  to  each 
variable  u  G  V  a  value  sjuj  over  its  domain  We  denote  by  E  the  set  of  all  states 

0  :  The  initial  condition.  This  is  an  assertion  characterizing  all  the  initial  states, 
i  e.,  states  at  which  a  computation  of  the  program  can  start  A  state  is  defined  to 
be  initial  if  it  satisfies  0.  It  is  required  that  0  be  satisfiahle,  i.e  ,  there  exists  at 
least  one  state  satisfying  0. 
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•  T  :  A  finite  set  of  transitions.  Each  transition  r  £  T  is  a  function 

r  :  E  ~  2e, 

mapping  each  state  s  6  S  into  a  (possibly  empty)  set  of  r-successor  states  r(s)  C  E. 
A  transition  r  is  enabled  on  s  iff  r(s)  ^  <f>.  Otherwise  r  is  disabled  on  s. 

The  function  associated  with  a  transition  r  is  represented  by  an  assertion  pr(V',  V''), 
called  the  transition  relation,  which  relates  a  state  s  G  £  to  its  r- successor  s'  6 
r(s)  by  referring  to  both  unprimed  and  primed  versions  of  the  state  variables.  An 
unprimed  version  of  a  state  variable  refers  to  its  value  in  s,  while  a  primed  version 
of  the  same  variable  refers  to  its  value  in  s'.  For  example,  the  assertion  z'  =  z  1 
states  that  the  value  of  x  in  s'  is  great  r  by  1  than  its  value  in  s. 

•  J  C  T  :  A  set  of  just  transitions  (also  called  weakly  fair  transitions).  Intuitively,  the 
requirement  of  justice  for  r  G  J  disallows  a  computation  in  which  r  is  continually 
enabled  beyond  a  certain  point  but  taken  only  finitely  many  times. 

•  C  C  T  :  A  set  of  compassionate  transitions  (also  called  strongly  fair  transitions). 
Intuitively,  the  requirement  of  compassion  for  r  £  C  disallows  a  computation  in 
which  r  is  enabled  infinitely  many  times  but  taken  only  finitely  many  times. 

The  transition  relation  p,{V,  V')  identifies  state  s'  as  a  r-successor  of  state  s  if 

(v')NMKV'), 

where  (s,  s')  is  the  joint  interpretation  which  interprets  z  £  V  as  s[z],  and  interprets  i' 
as  s'  [z] . 

The  enabledness  of  a  transition  r  can  be  expressed  by  the  formula 

En{r)  :  (3 V')pr(V,V'), 

which  is  true  in  s  iff  s  has  some  r-successor. 

We  require  that  every  state  s  G  E  has  at  least  one  transition  enabled  on  it.  This  is  often 
ensured  by  including  in  T  the  idling  transition  rt  (also  called  the  stuttering  transition), 
whose  transition  relation  is  pt  :  (V  —  V').  Thus,  s'  is  a  ^-successor  of  s  iff  s'  =  s. 

Let  S  be  a  transition  system  for  which  the  above  components  have  been  identified 
We  define  a  computation  of  S  to  be  an  infinite  sequence  of  V-states  cr  :  ^0,si,s2,  ....  for 
some  vocabulary  V  that  contains  V,  satisfying  the  following  requirements: 

•  Initiation: 

•  Consecution: 


•  Justice: 

•  Compassion: 

For  a  system  S ,  we  denote  by  Comp(5)  the  set  of  all  computations  of  S. 


s0  is  initial,  i.e.,  s0  )=  0. 

For  each  j  —  0,1,...,  the  state  is  a  r-successor  of  the  state  s;,  i.e., 
•sj+i  G  r(sj),  for  some  r  £  T.  In  this  case,  we  say  that  the  transition  r 
is  taken  at  position  j  in  cr. 

For  each  r  £  J  it  is  not  the  case  that  r  is  continually  enabled  beyond 

some  point  in  <r  but  taken  at  only  finitely  many  positions  in  a. 

For  each  r  £  C  it  is  not  the  case  that  r  is  enabled  on  infinitely  many 

states  of  a  but  taken  at  only  finitely  many  positions  in  <r 
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2.2  A  Simple  Programming  Language:  Syntax 

To  present  programs,  we  introduce  a  simple  concurrent  programming  language  (spl) 
in  which  processes  communicate  by  shared  variables.  The  following  is  a  list  of  some 
of  the  statements  with  an  explanation  of  their  intended  meanings.  We  present  only  the 
statements  that  are  used  in  this  paper.  The  reader  is  referred  to  [MP91bj  for  a  description 
of  the  full  language. 

•  Assignment :  For  a  variable  y  and  an  expression  e  of  appropriate  type, 

y  e 

is  an  assignment  statement. 

•  Await:  For  a  boolean  expression  c, 

await  c 

is  an  await  statement.  We  refer  to  condition  c  as  the  guard  of  the  statement. 

Execution  of  await  c  changes  no  variables.  Its  sole  purpose  is  to  wait  until  c  becomes 
true,  at  which  point  it  terminates. 

•  Concatenation:  For  statements  Si, ,  Sk, 

Si;  ■  •  • ;  Sk 

is  a  concatenation  statement.  Its  intended  meaning  is  sequential  composition.  The  first 
step  in  an  execution  of  Sj  ,  ■  ■  ■ ;  Sk  is  the  first  step  in  an  execution  of  Si.  Subsequent 
steps  continue  to  execute  the  rest  of  Si,  and  when  Si  terminates,  proceed  to  execute 
S2, S3, Sk¬ 
in  a  program  presented  as  a  multi-line  text,  we  often  omit  the  separator  at  the  end 
of  a  line. 

•  While:  For  a  boolean  expression  c  and  a  statement  S, 

while  c  do  S 

is  a  while  statement.  Its  execution  begins  by  evaluating  c.  If  c  evaluates  to  F,  execution 
of  the  statement  terminates.  Otherwise,  subsequent  steps  proceed  to  execute  5.  When  S 
terminates,  c  is  tested  again. 

Programs 

A  program  P  has  the  form 

P  ::  [declaration;  [Pt  ::  ft:  S,;  ft  :]  ||  ...  ||  Pm  ::  [ft:  Sm;  ft  :]]], 

where  P\  ::  ft:  Sj ;  ft  Pm  ::  [ft,:  Sm;  ft,  :j  are  named  processes.  The  names  of  the 

program  and  of  the  processes  are  optional,  and  may  be  omitted.  The  body  [ft  S ,;  i ,  :]  of 
process  Pt  consists  of  a  statement  Si  and  an  exit  label  which  is  where  control  resides 
after  execution  of  S,  terminates.  Label  ft  can  be  viewed  as  labeling  an  empty  statement 
following  5,. 

A  declaration  consists  of  a  sequence  of  declaration  statements  of  the  form 
variable,  ...,  variable:  type  where  <p. 

Each  declaration  statement  lists  several  variables  that  share  a  common  type  and  identifies 
their  type,  i.e.,  the  domain  over  which  the  variables  range.  We  use  basic  types  such  as 
integer,  character,  etc.,  as  well  as  structured  types,  such  as  array,  list,  and  set. 

The  optional  assertion  y3  imposes  constraints  on  the  initial  values  of  the  variables 
declared  in  this  statement 
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Let  <f\, . .  ■  ,<pn  be  the  assertions  appearing  in  the  declaration  statements  of  a  program. 
We  refer  to  the  conjunction  ip  :  <p\  A  •  •  •  A  <£n  as  the  data-precondiiion  of  the  program 
Fig.  1  presents  a  simple  program  consisting  of  two  processes  communicating  by  the 
shared  variable  x,  initially  set  to  0.  Process  Pi  keeps  incrementing  variable  y  as  long  as 
x  ~  0.  Process  P2  has  only  one  statement,  which  sets  i  to  1.  Obviously,  once  x  is  set 
to  1,  process  P2  terminates  and  some  time  later  so  does  P\ ,  as  soon  as  it  observes  that 
x  #  0. 


x,  y.  integer  where  x  =  y  —  0 

Pi  : 

I 

| _ 

Figure  1:  Program  ANY-Y:  A  simple  concurrent  program. 


to  ■  while  x  =  0  do 

[A  :  y  ■=  y  +  l] 

: 


m0  : 

m  i  : 


I 


2.3  Semantics  of  the  Programming  Language 

The  semantics  of  the  simple  programming  language  is  obtained  by  showing  how  each 
program  can  be  viewed  as  a  fair  transition  system.  This  is  done  by  identifying  each  of 
the  components  of  a  fair  transition  system  for  a  given  program. 

Consider  a  program  P  given  by 

[declaration;  [Pi  ::  [/i :  Si;  :]  ||  •••  [j  Pm  ::  5m;  4n  :]]]■ 

Let  LP  denote  the  set  of  locations  of  program  P.  We  refer  the  reader  to  [MP91b;  where 
a  location  is  defined  as  an  equivalence  class  of  labels.  For  our  simpler  treatment  here,  it 
suffices  to  consider  locations  as  identical  to  labels.  We  also  assume  that  we  know  how  to 
compute,  for  each  statement  S  of  a  given  program,  its  post-location,  which  is  the  location 
reached  after  the  termination  of  S. 

In  program  ANY-Y,  for  example,  the  post-location  of  statement  m0  is  mi,  while  the 
post-location  of  statement  is  l0. 

We  will  show  how  to  define  a  fair  transition  system  Sp  corresponding  to  program  P 
State  Variables  and  States 

The  state  variables  V  for  system  Sp  consist  of  the  data  variables  }'  =  {y,, .  ,  ,  that  are 
declared  at  the  head  of  the  program,  and  a  single  control  variable  n.  The  data  variables 
Y  range  over  their  respectively  declared  data  domains.  The  control  variable  7r  ranges  over 
subsets  of  Lp,  i.e.,  sets  of  locations.  The  value  of  7r  in  a  state  denotes  all  the  locations  of 
the  program  in  which  control  currently  resides. 

For  example,  the  state  variables  for  program  ANY-Y  are  V  {tt ,x,y},  where  x  and  y 
range  over  the  integers  while  tt  ranges  over  subsets  of  {(n,  f\ .  t2,  m0,  mi}. 


As  states  we  take  all  possible  interpretations  that  assign  to  the  state  variables  values 
over  their  respective  domains.  For  example,  the  initial  state  of  program  ANY-Y  is 

(ir  :  {4, ”i0},  x  :  0,  y  :  0). 

Transitions 

To  ensure  that  every  state  has  some  transition  enabled  on  it,  we  uniformly  include  the 
idling  transition  rt  in  the  transition  system  corresponding  to  each  program.  The  transition 
relation  for  r;  is 

Pr  V'  =  V. 

We  proceed  to  define  the  transition  relations  for  the  transitions  associated  with  each 
of  the  previously  introduced  statements. 

•  Assignment:  Consider  the  statement  [t  :  y  :=  e;  where  l  is  the  post¬ 

location  of  l. 

With  this  statement  we  associate  a  transition  T( ,  with  the  transition  relation 

pp  A  =  {£}  U  {1}  A  y'  =  e  A  (u  =  u) 

ueY-{y} 

The  last  conjunct  claims  that  all  data  variables,  excluding  y,  retain  their  values  over  the 
transition  t*. 

•  Await:  With  the  statement  [/:  await  c;  l  we  associate  a  transition  rt, 

with  the  transition  relation 

PC-  f€ir  A  ir'  =  ir~  {£}  U  {£}  A  c  A  Y'  =  Y 
The  transition  rt  is  enabled  only  when  control  is  at  i  and  the  condition  c  holds.  When 
taken,  it  moves  from  l  to  location  l.  The  conjunct  Y'  -■  Y  stands  for  the  conjunction 

A (”' =  «)■ 

uev 

•  V/htle:  With  the  statement  [£:  |while  c  do  [£:S]j;  t  :  . ..],  we  associate  a 
transition  with  the  transition  relation 

'  c  A  a  —  iC  {£}  U  {t}  \ 
pi  :  i  G  rr  A  V  A  Y'  -  Y. 

\  ->C  A  IT1  -  7T  -  {£}  U  {/}  / 

According  to  p(,  when  c  evaluates  to  T  control  moves  from  l  to  /,  and  when  c  evaluates  to 
F  control  moves  from  t  to  l.  Note  that,  in  this  context,  the  pust-location  of  .9  is  f  No*e 
also  that  the  enabling  transition  of  is  l  9  rr  which  does  not  depend  on  the  value  of  c. 
Thus,  the  fair  transition  system  corresponding  to  program  ANY-Y  has  the  transitions 

i  >  Ai  i  and  . 

Transition  rtl,  for  example,  has  the  transition  relation 

Pt,  fi  €  »r  A  x'  =  jt  -  {fj  u  {f0}  A  y  =  y  +  1  A  l'  =  x. 
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The  Initial  Condition 

Let  ^  denote  the  data  precondition  of  program  P  We  define  the  initial  condition  0  for 
Sp  as 

0:  7r  —  {*!,.  }lm)  A  <p- 

This  implies  that  the  first  state  in  an  execution  of  the  program  begins  with  the  control 
variable  poirting  to  the  initial  locations  of  the  processes,  and  the  data  variables  satisfying 
the  data  precondition. 

For  example,  the  initial  condition  for  program  ANY-Y  is  given  by 
0:  ir  =  {/o,”to}  A  x  =  0  A  y  =  0. 

Justice  and  Compassion 

For  the  simplistic  programming  language  we  have  presented,  the  justice  and  compassion 
requirements  are  straightforward. 

•  Justice:  As  the  justice  set,  we  take  T  -  {r;},  the  set  of  all  transitions,  excluding 
the  idling  transition  rt . 

•  Compassion :  As  the  compassion  set,  we  take  the  empty  set.  This  will  suffice 
for  the  examples  presented  in  this  paper.  The  programs  presented  in  [ M P 9 1  b ]  use  addi¬ 
tional  statements  such  as  semaphore  and  communication  statements  and  these  give  rise 
to  nonempty  compassion  sets. 

This  concludes  the  definition  of  the  transition  system  Sp 
Examples  of  Computations 

Identification  of  the  fair  transition  system  Sp  corresponding  to  a  program  P  gives  rise  to 
a  set  of  computations  Comp(P)  which  can  be  viewed  as  the  possible  executions  of  P.  i.e.. 
Comp(P)  =  Comp(Sp). 

Consider  the  following  computation  of  (the  transition  system  corresponding  to)  pro¬ 
gram  ANY-Y: 

(?r  :  {4,  m0}  »  1  :  0  >  y  •  °)  (7r  Vo,  mi}  ,  x  :  1  ,  y  :  0) 

(rr  :  {/2,"ii}  .  x  :  1 ,  y  :  0)  ■  •  •  ~ •  •  ■ 

The  presentation  of  this  computation  contains  arrows  labeled  by  the  transi*  on  that  is 
taken  at  each  step.  This  computation  corresponds  to  the  case  that  m0  is  the  first  transition 
taken.  Taking  this  transition  sets  i  to  1,  following  which  process  P\  terminates  in  one 

step  leading  to  the  terminal  state  (ir  :  ,  rnj }  ,  x  1  ,  y  :  0).  The  only  transition  enabled 

on  this  state  is  r/,  which  is  repeated  forever. 

The  following  computation  corresponds  to  the  case  that  process  Px  executes  statement 
i\  before  m0  is  executed. 

(7r  {/„.  mu}  ,  x  :  0 ,  y  :  0)  (tt  :  ,  m0}  ,  x  :  0  ,  y  :  0)  ---* 

(ir  :  {/o,m0}  ,  i  :  0,  y  :  1)  (tt  :  {4,  m,}  ,  x  :  1  ,  y  :  1)  ♦ 

<>  :  {(2,  m, }  ,  x  :  1  ,  y  :  1)  -—>  ■■■ 

In  a  similar  way,  we  can  construct  for  each  n  >  0  a  computation  that  executes  the  body 
of  statement.  n  times  and  then  terminates  in  the  final  state  (7r  '  {b.m,}  ,  x  ]  .  y  n 


However,  the  sequence 

(tt  :  {£o,m0}  ,  x  :  0  ,  y  :  0}  (it  :  {fj ,  m0}  ,  x  :  0 ,  y  :  0) 

(it  :  {f0,™o}  ,  x  :  0  ,  y  :  1}  “  »  (rr  {0  m0}  ,  x  '  0  ,  y  1} 

{tt  :  {^0,m0}  ,  x  :  0  ,  y  :  T  {rr  :  Ri,  m0}  ,  x  :  0  ,  y  :  2)  ^ 

(tt  :  {i0,Tn0}  ,  x  :  0  y  .  3} 

in  which  transition  m0  is  never  taken  is  not  an  admissible  computation.  This  is  because 
it  violates  the  justice  requirement  towards  m0,  which  is  continually  enabled  but  never 
taken. 

This  illustrates  how  the  requirement  of  justice  ensures  that  program  aNY-Y  always 
terminates. 

2.4  Requirement  Specification  Language:  Temporal  Logic 

As  a  requirement  specification  language  for  reactive  systems  (under  the  qualitative  model) 
we  take  temporal  logic  [MP91bj. 

We  assume  an  underlying  assertion  language  £  which  contains  the  predicate  calculus 
and  interpreted  symbols  for  expressing  the  standard  operations  and  relations  over  some 
concrete  domains.  Easy  reference  to  the  location  of  control  is  provided  by  the  predicate 
which  is  an  abbreviation  for  the  formula  £  t  tt,  stating  that  control  is  currently 
at  location  l, .  We  also  use  the  expression  ;  as  an  abbreviation  for  the  disjunction 

at  £  V  at^ly 

We  refer  to  a  formula  in  the  assertion  language  £  as  a  state  formula ,  or  simply  as  an 
assertion. 

A  temporal  formulae  constructed  out  of  state  formulas  to  which  we  apply  the  boolean 
operators  ->  and  V  (the  other  boolean  operators  can  be  defined  from  these),  and  the 
following  basic  temporal  operators: 

0  -  Next  0  --  Previous 
U  -  Until  S  -  Since 

A  model  for  a  temporal  formula  p  is  an  infinite  sequence  of  states  a  s0>5i, ....  where 
each  state  Sj  provides  an  interpretation  for  the  variables  mentioned  in  p 

Given  a  model  cr,  as  above,  we  present  an  inductive  definition  for  the  notion  of  a 
temporal  formula  p  holding  at  a  position  j  >  0  in  cr,  denoted  by  (cr,  j)  j=  p. 

•  For  a  state  formula  p, 

(ff>  j)  h  p  <==>  f  p 

That  is,  we  evaluate  p  locally,  using  the  interpretation  given  by  s}. 

•  H  ~P  <=*  (<r,j)  pp 

•  (<r.jj  F  pVq  <=>  (<r,  j )  fc=  p  or  (cr,  j )  F  q 

•  (cr  .  ji)  fc=  Op  <=>  (cr.j  +  l)tp 

•  (cr.  j)  —  pU  q  <=>  for  some  k  >  j,  (cr,  k)  k-  q. 

and  for  every  i  such  that  j  <  i  <  fc,(rr,  i)  1-  p 

•  (cr .ji)  i=  05 p  j  -0  and  (cr.  j  -  1)  fc=  p 

•  (<r.  j)  b"  P  S  q  <—>  for  some  k  <  ; ,  ( cr ,  k )  0  q. 

and  for  every  t  such  that  j  >  t  >  k,  (<r,  t)  j=  p 
Additional  temporal  operators  can  be  defined  as  follows 

H 


Op=lUp 

□p  =  "'O  ~T 

pW  q  =  apV  {pU  q) 

Op  =  T  Sp 

E  p  =  “’<£>  “'P 

p  B  q-  Ep  V  (p S  q) 


-  Eventually 

-  Henceforth 

-  Waiting-for,  Unless,  Weak  Until 

-  Sometimes  in  the  past 

-  Always  in  the  past 
Back- to,  Weak  Since 


p  o  q  =  up  v  ypo  q)  -  Daca-io,  vveaa  since 
Another  useful  derived  operator  is  the  entailment  operator,  defined  by: 


p=^<?  n(p  —  <?)■ 

Wre  refer  to  Q.  W,  O,  □,  and  W  as  future  operators  and  to  Q,  5.0,5,  and  B 
as  past  operators. 

A  formula  that  contains  no  future  operators  is  called  a  past  formula.  A  formula  that 
contains  no  past  operators  is  called  a  future  formula.  Note  that  a  state  formula  is  both  a 
past  and  a  future  formula. 

We  refer  to  the  set  of  variables  that  occur  in  a  formula  p  as  the  vocabulary  of  p 

For  a  state  formula  p  and  a  state  s  such  that  p  holds  on  a,  we  say  that  s  is  a  p- state. 
A  state  formula  that  holds  on  all  states  is  called  assertionally  valid. 

For  a  temporal  formula  p  and  a  position  j  >  0  such  that  (a,  j)  \=  p,  we  say  that  j  is  a 
p-position  (in  a).  Note  that  the  satisfaction  of  a  past  formula  at  position  j  >  0  depends 
only  on  the  finite  prefix  s0, .  .  ,s}. 

If  (cr,  0)  [=  p,  we  say  that  p  holds  on  cr,  and  denote  it  by  cr  £=  p.  A  formula  p  is  called 
satisfiable  if  it  holds  on  some  model.  A  formula  is  called  temporally  valid  if  it  holds  on  all 
models. 

Two  formulas  p  and  q  are  defined  to  be  equivalent ,  denoted  p  ~  q,  if  the  formula  p  q 
is  valid,  i.e.,  <7  j=  p  iff  a  \=  q,  for  all  models  a. 

In  the  sequel,  we  adopt  the  convention  by  which  a  formula  p  that  is  claimed  to  be 
valid  is  assertionally  valid  if  p  is  an  assertion,  and  is  temporally  valid  if  p  contains  at  least 
one  temporal  operator. 

The  formulas  p  and  q  are  defined  to  be  congruent ,  denoted  p  ^  q,  i.*  the  formula 
□  (p  *-*  q)  is  valid,  i.e.,  ( cr,j )  t  p  iff  (a,  j)  f=  q ,  for  all  models  cr  and  all  positions  j  >  0.  If 
p  %  q  then  p  can  be  replaced  by  q  in  any  context,  i.e.,  'P(p)  ~  ‘P(q)  for  any  formula  'f(p) 
containing  occurrences  of  p. 

The  notion  of  temporal  validity  requires  that  the  formula  holds  over  all  models.  Given 
a  program  P ,  we  can  restrict  our  attention  to  the  set  of  models  which  correspond  to 
computations  of  P,  i.e.,  Comp(P).  This  leads  to  the  notion  of  P-validity,  by  which  a 
temporal  formula  p  is  P- valid  (valid  over  program  P)  if  it  holds  over  all  the  computations 
of  P  Obviously,  any  formula  that  is  temporally  valid  is  also  P-valrd  for  any  program  P 
In  a  similar  way,  we  obtain  the  notions  of  P-satisfiability  and  P-equivalence. 

A  state  s  that  appears  in  some  computation  of  P  is  called  a  P-accessxble  state.  A 
state  formula  is  called  P-state  valid  if  it  holds  over  all  P-accessible  states.  Obviously,  any 
state  formula  that  is  assertionally  valid  is  also  P-state  valid  for  any  program  P. 

Again,  we  adopt  the  convention  by  which  we  may  refer  to  a  P-state  valid  formula 
simply  as  P- valid. 
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2.5  Specification  of  Properties 

A  temporal  formula  p  that  is  valid  over  a  program  P  specifies  a  property  of  P,  i.e.,  states 
a  condition  that  is  satisfied  by  all  computations  of  P.  As  is  explained  m  MP91b  .  the 
properties  expressible  by  temporal  logic  can  be  arranged  in  a  hierarchy  that  identifies 
different  classes  of  properties  according  to  the  form  of  formulas  expressing  them. 

Here  we  wi'l  consider  only  properties  falling  into  the  two  most  important  classes  safety 
and  response. 

Safety  Properties 

Safety  properties  are  those  that  can  be  expressed  by  a  formula 

Zp, 

for  some  past  formula  ip.  We  refer  to  a  formula  of  this  form  as  a  canonical  safety  formula 
In  this  paper,  we  will  mainly  consider  safety  properties  expressible  by  the  invariance 
formula  Qip,  where  tp  is  a  state  formula,  and  the  waiting-for  formula  p  -=^{p  W  q)  for 
state  formulas  p,  < p,  and  q. 

The  formula  p^(<p  W  q)  states  that,  following  each  p-position,  there  is  a  succession 
of  (^-positions  that  either  extends  to  infinity  or  is  terminated  by  a  imposition  This  is  a 
safety  property  since  the  waiting-for  formula  is  equivalent  to  the  canonical  safety  formula 

□  (“V  -  (~p)Bq) 

The  latter  formula  states  that  every  --<p-position  j  satisfies  (~'p)  B  q,  meaning  that  p  is 
false  all  the  way  back  from  j  to  an  occurrence  of  q  or  to  the  beginning  of  the  computation. 
This  implies  that  whenever  a  -’ip  position  is  preceded  by  a  p-position,  there  exists  a  im¬ 
position  separating  the  two  (possibly  coinciding  with  either) 

The  following  is  a  list  of  several  safety  formulas  that  are  valid  over  program  ANY-Y 
and  therefore  specify  properties  of  this  program 

•  □(»  >  0) 

This  formula  claims  that  y  is  nonnegative  in  all  states  appearing  in  computations 
of  ANY-Y. 

•  o(al-iz  — *  x  =  1) 

This  formula,  that  can  also  be  rewritten  as  at„(2=^[x  —  1).  claims  that  j-  —  1  in 
every  state  appearing  in  computations  of  ANY-Y  at  which  control  is  at  (2 

•  at~l o  =>-  at_fo.i  W  {x  /  0) 

This  waiting-for  formula  claims  that,  starting  at  any  state  in  which  control  is  at  f0. 
control  within  process  P\  is  continuously  at  f0  or  f,  either  forever  or  until  x  differs 
from  0. 

Response  Properties 

Response  properties  are  those  that  can  be  expressed  by  a  formula 

>•  <1- 


P 


for  past  formulas  p  and  q.  In  this  paper,  we  will  mainly  consider  the  case  that  p  and  q 
are  state  formulas. 

For  example,  the  response  formula  0  =$»  Q>(at.(2  A  at-mi)  is  valid  over  program 
ANY-Y.  It  claims  that  every  state  satisfying  the  initial  condition  0  :  at-lo^  at_m0  A  x  = 
0  A  y  —  0  is  followed  by  a  terminal  state  characterized  by  at_l2  A  at- mi.  This  implies 
that  all  computations  of  ANY-Y  eventually  terminate. 

2.6  Verifying  Safety  Properties 

We  present  several  proof  rules  for  establishing  the  P-validity  of  a  safety  formula.  From 
now  on,  we  fix  our  attention  on  a  particular  program  P,  specified  bv  the  components 

{V,Q,T,J,C). 


Verification  Conditions 

For  a  transition  r  and  state  formulas  p  and  q ,  we  define  the  verification  condition  of  r, 
relative  to  p  and  q,  denoted  {p}r{q},  to  be  the  implication: 

(pT  A  p)  — *  q\ 

where  pT  is  the  transition  relation  corresponding  to  r,  and  q',  the  primed  version  of  the 
assertion  q,  is  obtained  from  q  by  replacing  each  variable  occurring  in  q  by  its  primed 
version.  Since  pT  holds  for  two  states  s  and  s'  iff  s'  is  a  r-successor  of  s,  and  q'  states  that 
q  holds  on  s',  it  is  not  difficult  to  see  that 

if  the  verification  condition  {p}r{q}  is  valid,  then  every  r-successor  of  a  p-state 
is  a  q- state. 

For  a  set  of  transitions  T  C  T,  we  denote  by  {p}T{q}  the  conjunction  of  verification 
conditions,  containing  the  conjunct  {p}r{q}  for  each  r  6  T. 

In  the  context  of  program  ANY-Y,  consider  for  example  the  verification  condition  of 
li  (i.e.,  transition  r*,),  with  respect  to  assertions  y  >  0  and  y  >  0: 

{ y  >  0}  h  {y  >  0}. 

Expanding  the  definition  of  the  verification  condition,  this  yields 

f]  6  r  A  ir'  =  ir  —  (fj }  U  {^o}  A*'  =  iAy=ytl  Ay>0  — >  y'  >  0 

Pl,  P  q' 

which  is  assertionallv  did  This  shows  that  every  fj-successor  of  a  state  satisfying  y  >  0 
satisfies  y  >  0. 

The  Initialitv  Rule 

Obviously,  the  initial  condition  0  holds  at  the  first  position  of  every  computation  of  P 
Consequently,  0  is  a  P  valid  formula.  It  is  useful  to  cast  this  fact  in  the  form  of  a  rule, 
to  which  we  refer  as  the  mitiahty  rule  INIT. 
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The  rule  states  that  if  0  entails  4 > ,  i.e.,  implies  ip  at  any  position,  then  ip  is  P-valid.  In 
this  and  subsequent  rules  we  employ  the  convention  that  a  line  containing  a  temporal 
formula  states  its  P-validity. 

It  is  possible  to  have  a  version  of  the  INIT  rule  in  which  the  premise  is  the  implication 
0  — *  V*)  rather  than  the  entailment  0  =>-  ip.  For  our  use  here,  the  entailment  is  more 
convenient. 

Rule  INIT  enables  us  to  infer  for  program  ANY-Y  the  property 
O (at_/2  A  at-Tn.i) 
from  the  entailment 

■k  —  {/0, m0}  A  x  =  0  A  y  =  0  =$-  O (at_£2  A  at_mj) 

s . . . .  v  -  "  ✓ 

0 

As  shown  by  this  example,  which  deals  with  a  response  property,  rule  INIT  is  not 
restricted  to  proofs  of  safety  properties.  We  have  presented  it  here  since  it  is  one  of  the 
most  basic  rules  and  should  be  considered  first. 

A  Waiting-For  Rule 

The  following  rule  can  be  used  to  establish  the  P-validity  of  the  waiting-for  formula 
p  =>-  p  W  q  for  assertions  p,  P,  and  q,  over  a  given  program  P. 


WAIT  Wl.  p  -*  {q  V  p) 
W2.  {p}T{q\  p) 

p  =>-  pWq 


This  rule  contains  two  premises,  which  are  state  formulas,  and  a  temporal  conclusion. 
By  our  common  convention,  a  line  (premise  or  conclusion)  containing  a  state  formula  r 
claims  that  r  is  P-state  valid  while,  as  previously  explained,  a  line  containing  a  temporal 
formula  ip  claims  that  ip  is  P-valid. 

Premise  Wl  of  the  rule  claims  that  any  p-state  satisfies  q  or  '-P.  Premise  W 2  claims 
that  any  successor  of  a  <P-state  satisfies  q  or  P.  Together,  they  imply  that  any  p-position 
in  a  computation  of  P  initializes  a  sequence  of  'P-positions  which  either  extends  to  infinity 
or  is  terminated  by  a  q  position.  This  shows  that  p  =>-  P  W  q  holds  over  all  computations 
of  P. 

Example  1  Let  us  apply  rule  WAIT  to  establish  the  property 

*  =  0  =>-  (*  =  0)W(*  =  1) 

for  program  ANY-Y 
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Clearly,  we  apply  rule  WAIT  with  p  =  V3  :  x  =  0  and  q  :  x  —  1. 
Premise  Wl  assumes  the  form 

x  =  0  — >  i  =  1 V i  =  0 


which  is  obviously  valid. 

Premise  W2  represents  a  set  of  verification  conditions 
pT  A  x  —  0  — >  i  =  1  V  i’  =  0, 

for  r  ranging  over  rf ,  ti0  ,  t*,  ,  and  .  In  principle,  we  should  check  each  of  these  four 
conditions  separately.  However,  as  is  often  the  case,  many  of  these  transitions  can  be 
seen  to  trivially  satisfy  the  verification  condition  since  they  do  not  modify  x.  Formally, 
the  transition  relation  for  these  transitions  contains  the  conjunct  x'  =  x,  leading  to  the 
obvious  validity 

;  •  •  A  X  —  X  A  X  =  0  — *  =  0, 

f>T 

Thus,  we  only  need  to  consider  transitions  that  modify  x.  This  leaves  transition  m0, 
whose  verification  condition  can  be  written  as 

•  •  •  A  x'  =  1  A  x  =  0  — >  x'  =  1  V  •  •  • , 

/>m0 

which  is  obviously  valid.  This  establishes  the  property  x  —  0  =>■  (x  =  0)  W  (x  —  l)  as 
valid  over  program  ANY-Y. 

Monotonicity  of  Waiting-For  Formulas 

All  the  temporal  operators  are  monotonic  with  respect  to  implication  of  state  formulas. 
This  means  that  if  p  — >  q  and  ®p  are  both  valid  then  so  is  where  ®  stands  for  any  of 
the  unary  temporal  operators  and  p,  q  are  state  formulas.  Similar  monotonicity  properties 
hold  for  each  argument  of  the  binary  temporal  operators. 

This  enables  inference  of  a  new  waiting-for  formula  from  a  previously  established 
formula  by  appropriate  weakening  and  strengthening  of  the  assertions  appearing  in  the 
formula.  The  precise  premises  are  listed  in  rule  W-MON. 


W-MON  p 

=>-  ¥>Wq 

v'  —  P. 

—  <P',  q  —  q' 

v' 

=>-  P'Wq' 

Using  this  rule,  we  can  infer  the  property  at_m0  A  x  —  0  =>-  (x  <  1)  W  (x  =  1)  for 
program  ANY-Y  from  the  previously  established  x  =  0  =>-  (x  =  0)  W  (x  —  1),  using  the 
state  validities 

at_m0  Ax  =  0  — >  x  =  0 
x  =  0  — *  x  <  1 

The  combination  of  rules  WAIT  and  W’-MON  is  complete  for  proving  the  P- validity  of 
any  waiting-for  formula  p  =>-  ^  W  q  for  assertions  p,  <p,  and  q  [MP83]. 
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Case  Splitting 

It  often  happens  that  the  assertion  P  appearing  in  rule  WAIT  naturally  splits  into  a 
disjunction: 

V  =  y  <Pi 

i  €A# 

where  M  is  some  finite  index  range,  e.g.,  M  =  {1, . . .  ,  m}.  In  this  case,  it  may  be  easier 
to  prove  premises  W1  and  W2  of  the  rule  in  the  form: 

Wl.  p  — *  q  V  Pi  for  some  ie  M 
W2.  {¥>,}  T  {gV¥*}  for  every  i  €  M 

Consider  a  proof  of  the  property 

at-t o  A  x  =  0  =>-  (at-l0,i  A  x  =  0)  VV  (x  =  1) 

for  program  ANY-Y.  In  this  case  P  :  at_^0,i  A  x  =  0  naturally  splits  into  the  disjunction 
V  V^i ,  where 

Pa  at- to  A  x  =  0 

Pi  at~L\  A  x  =  0. 

In  proving  premise  Wl,  it  is  simpler  to  prove  a(./oAi  =  0-><f>O' 

In  proving  W2,  it  is  easier  to  consider  separately  the  cases  of  Pa  and  Px.  This  is 
because  we  may  summarize  the  effects  of  the  various  transitions  on  a  Wstate  by  the 
following  table: 


Transition 

Successor  State 

T, 

satisfies  Pa 

io 

satisfies  Px 

l\ 

no  successor 

TTIq 

satisfies  q  :  x  =  1 

Note  that  transition  lx  is  disabled  on  Pa  and  therefore  the  verification  condition  {V,o}A{^'} 
holds  trivially  for  an  arbitrary  ip. 

The  effects  of  transitions  on  a  Px -state  are  summarized  in  the  following  table: 


Transition 

Successor  State 

r, 

satisfies  Px 

la 

no  successor 

h 

satisfies  P0 

m0 

satisfies  q  :  x  —  1 

Together,  these  two  tables  (with  the  associated  formal  proofs)  establish  premise  W2. 


Proof  Diagrams  for  Waiting-For  Formulas 

As  we  become  more  experienced  in  conducting  proofs  according  to  rule  WAIT  and  similar 
rules,  proofs  need  not  be  presented  with  full  formal  detail.  However,  identification  of  the 
structure  of  the  verification  conditions  and  how  transitions  may  lead  from  a  state  satisfying 
some  <fi  into  a  state  satisfying  some  P:  is  helpful  in  increasing  confidence  in  the  correctness 
of  the  proof.  In  the  preceding  discussion  we  illustrated  how  this  information  can  be 
represented  by  tables.  Here  we  will  introduce  another  representation  of  this  information, 
provided  by  proof  diagrams. 

A  proof  diagram  is  a  directed  graph  consisting  of  a  finite  set  of  nodes  N  and  a  set  of 
directed  edges  E  connecting  the  nodes.  Each  node  n,  is  labeled  by  an  assertion  P, .  and 
each  edge  is  labeled  with  the  name  of  a  transition. 

Two  subsets  of  nodes  are  identified:  /  C  jV,  the  set  of  initial  nodes,  and  F  C  N . 
the  set  of  terminal  nodes.  We  denote  by  M  =  N  —  F  the  set  of  nonterminal  nodes  An 
example  of  a  proof  diagram  is  presented  in  Fig.  2.  This  diagram  consists  of  three  nodes 


7l0 

Po  '■  a-t-Lo  A  i  =  0 


Figure  2:  A  proof  diagram. 

n0,  7ij,  and  n2.  There  is  one  initial  node  I  —  {n0}  and  one  terminal  node  F  =  {n2} 
Initial  nodes  are  graphically  identified  by  the  annotation  while  terminal  nodes  are 
identified  by  L*  ■ 

If  node  n,  is  connected  to  node  n}  by  an  edge  labeled  by  r,  we  say  that  n}  is  a 
r -successor  of  n,. 

A  proof  diagram  is  defined  to  be  sound  if,  for  every  nonterminal  node  n  t  A/  labeled 
by  assertion  p  and  every  transition  r  6  T: 

•  If  Tii,..  nk  are  all  the  r-successors  of  n  for  some  k  >  0,  then  the  verification  condi 
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tion 


{P}r{V*>„} 

*=1 

is  assertionally  valid. 

•  If  n  has  no  r-successor  then  the  verification  condition 

{P}  T  {*} 

is  assertionally  valid. 

According  to  this  definition,  a  node  n  that  has  no  r-successor  is  the  same  as  a  node  n 
having  a  self-connecting  edge  labeled  by  r. 

It  is  obvious  that  a  sound  proof  diagram  identifies  a  set  of  verification  conditions  that 
can  serve  as  the  premises  to  rule  WAIT.  Indeed,  we  have  the  following  claim. 

Claim  1  A  sound  proof  diagram  establishes  the  P-validity  of  the  formula  1 

V  p.  ( V  Pi)  w  ( V  p«) 

«€/  ie  M  i£F 

It  is  not  difficult  to  show  that  the  premises  of  rule  WAIT  for  the  choice 

P  ■  V  Pi.  P  '•  V  Pi.  9  :  V  Pi 

«e/  ieM  izF 

follow  from  the  soundness  of  the  proof  diagram. 

Premise  W1  requires  showing 

V  P-  -»  (V  Pi)  v(  V  Pi)- 

•€/  t'€f  i£A/ 

This  follows  from  the  fact  that  I  C  (F  U  M)  =  N . 

Premise  W2  requires  showing,  for  each  node  n,  £  M  labeled  by  and  each  transition 
r  €  T,  the  validity  of  the  verification  condition 

{p>}  (  V  Pi}- 

i6fuAf 

However,  this  follows  immediately  from  the  soundness  of  the  proof  diagram. 

To  simplify  the  notation,  we  will  often  write  <Pk  as  an  abbreviation  for  the  disjunction 

V  Pi. 

for  any  K  C  /V.  With  this  notation,  the  conclusion  of  Claim  1  can  be  rewritten  as 

’Note  the  abuse  of  notation  by  which  we  use  I,  M,  and  F  to  denote  sets  of  nodes  as  well  as  sets  of 
the  indices  of  these  nodes.  We  hope  that  the  ensuing  ambiguity  can  always  be  resolved  by  the  context. 
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To  increase  our  proving  power,  we  often  combine  proof  diagrams  with  monotonicity 
arguments. 

It  is  not  difficult  to  see  that  the  diagram  presented  in  Fig  2  is  sound  for  program 
ANY-Y.  This  establishes  the  validity  of  the  formula 

at-ta  A  x  =  0  =>~  [(at-l0  A  x  =  0) V  (a  t-l^  Ai  =  0)j  W(i  =  1) 

over  program  ANY-Y.  Note  that  this  formula  is  equivalent  to 

at-lo  Ai  =  0  =>-  (af_£0>1  A  x  =  0)  W  (z  =  1). 

We  define  a  proof  diagram  D  to  be  valid  with  respect  to  assertions  p,  tf,  and  q  if  D  is 
sound  and  the  following  implications  are  assertionally  valid: 

V  -  V'*3-  (  V  Vi)  -  (V  Vi)  -  q. 

i&I  «€M 

Combining  claim  1  with  monotonicity,  we  obtain  the  following  corollary: 

Corollary  1  If  diagram  D  is  valid  with  respect  to  assertions  p,  and  q,  then  the  formula 
p  =}»-  V  W  q 
is  P-valid. 

Consider  the  sound  diagram  of  Fig.  2  and  the  assertions 
p  :  0,  P  :  at_/o,i,  q  :  x  ^  0. 

The  required  monotonicity  conditions  for  these  three  assertions  are 

0  — *  at- 10  A  x  —  0 

(at_fo  A  x  =  0)  V  {at-l\  Ai  =  0)  — >  a£_f0,i 

x  —  1  — +  i^O 

All  three  are  valid.  It  follows  that  the  diagram  of  Fig.  2  is  valid  with  respect  to  this  choice 
of  p,  <P,  and  q,  and  therefore  that  the  formula 

0  =*■  (a<_<o.,)  W(x  ^  0) 

is  valid  over  program  ANY-Y. 

Statechart  Conventions 

There  are  several  conventions  inspired  by  the  visual  language  of  statecharts  [Har87]  that 
improve  the  presentation  and  readability  of  proof  diagrams.  We  extend  the  notion  of  a 
directed  graph  into  a  structured  directed  graph  by  allowing  compound  nodes  that  may 
encapsulate  other  nodes,  and  edges  that  may  depart  or  arrive  at  compound  nodes.  A 
node  that  does  not  encapsulate  other  nodes  is  called  a  basic  node.  The  role  of  compound 
nodes  in  a  structured  proof  diagram  is  to  provide  a  more  succinct  representation  of  the 
assertions  labeling  the  basic  nodes  and  the  edges  (labeled  by  transitions)  that  connect 
them. 

We  use  the  following  conventions 


•  Labels  of  compound  nodes:  a  diagram  containing  a  compound  node  n,  labeled 
by  an  assertion  ¥>  and  encapsulating  nodes  n1( . . .  ,n*  with  assertions  ,<Pk,  is 

equivalent  to  a  diagram  in  which  n  is  unlabeled  and  nodes  nj , . . . ,  n*  are  labeled  by 
A  . . . ,  <Ph  A  <P.  This  convention  allows  us  to  factor  out  a  conjunct  common  to 
the  encapsulated  nodes  and  place  it  as  a  label  of  the  compound  node. 


•  Edges  entering  and  exiting  compound  nodes:  a  diagram  containing  an  edge  e  con¬ 
necting  node  A  to  a  compound  node  n  encapsulating  nodes  n\, . . .  is  equivalent 
to  a  diagram  in  which  there  is  an  edge  connecting  A  to  each  n,,  i  =  1, . .  . ,  k,  with 
the  same  label  as  e.  Similarly,  an  edge  e  connecting  the  compound  node  n  to  node 
B  is  the  same  as  having  a  separate  edge  connecting  each  i  =  1, . . . ,  k,  to  B  with 
the  same  label  as  e.  These  equivalences  are  illustrated  in  Fig.  3. 


Figure  3:  Edges  entering  and  exiting  compound  nodes. 

•  Compound  nodes  designated  as  initial  and  terminal  nodes:  a  diagram  in  which  a 
compound  node  n  is  designated  as  an  initial  (respectively,  terminal )  node  is  the 

!  ° 

1  VJ 


same  as  having  all  the  nodes  encapsulated  by  n  designated  as  initial  (respectively, 
terminal).  These  equivalences  are  illustrated  in  Fig,  4. 


Figure  4:  Initial  and  terminal  compound  nodes. 


With  these  conventions  we  can  redraw  the  proof  diagram  of  Fig.  2  as  shown  in  Fig.  5, 
Note  that  the  common  conjunct  x  =  0  has  been  factored  out  of  nodes  n0  and  nj  and  now 


Figure  5:  A  structured  proof  diagram, 
appears  as  the  label  of  the  compound  node  encapsulating  them. 
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A  Rule  for  Invariance  Formulas 


Our  approach  to  proving  invariance  formulas  of  the  form  □¥>,  for  a  state  formula  V3,  is 
based  on  the  congruence 

□S P  «  F. 

Consider  rule  WAIT  for  the  special  case  that  p  is  taken  to  be  0  while  q  is  taken  to 
be  F.  The  conclusion  for  this  case  is  0  =s>-  S°WF,  which  is  congruent  to  0  =>-  DV5 
Invoking  rule  1NIT,  we  may  infer  n*P  as  a  P-valid  conclusion.  Consequently,  simplifying 
the  premises,  we  obtain  the  following  rule  for  proving  invariance  formulas. 

INV  II.  Q  -+  V 

12,  MT{y?} 

□V3 

Rule  INV  states  the  obvious  fact  that  if  assertion  V3  is  implied  by  the  initial  condition  and 
preserved  by  any  transition  of  the  program,  then  it  is  an  invariant  of  the  program,  i.e., 
holds  on  all  P-accessible  states. 

Let  us  illustrate  the  application  of  rule  INV  for  proving  the  property  a(y  >  0)  for 
program  ANY-Y.  Clearly,  V3  is  taken  to  be  y  >  0.  Premise  II  for  this  case  is 

•••Ay  =  0  — ♦  y  >  0 

which  is  obviously  valid.  For  premise  12,  we  consider  first  the  verification  condition  for 
transition  l\ 

•■•Ay'  =  y  +  1  Ay>0  ->  y  >  0 

V  "  -v- 

which  is  also  valid.  All  other  transitions  preserve  the  value  of  y  and  therefore  trivially 
preserve  V3  :  y  >  0. 

Monotonicity  of  Invariance  Formulas 

Invariance  formulas  are  also  monotonic  with  respect  to  the  assertion  claimed  to  be  invari¬ 
ant.  This  is  expressed  by  the  following  rule  I-MON. 


I-MON  □¥> 

V3  ->  V' 
C¥>' 


Using  this  rule,  we  can  infer  the  property  cj(x  >  0}  from  a  previous  proof  of  the  invariance 
□  (x  =  0  V  x  =  1)  (valid  for  program  ANY-Y)  and  the  state  validity 

(x~0Vx  =  l)  — +  x>0. 

The  combination  of  rules  INV  and  I-MON  is  complete  for  proving  the  P- validity  of  any 
invariance  formula  □  p  for  assertion  p  [MP91a], 
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Proof  Diagrams  for  Invariance 

Since,  as  previously  shown,  invariance  formulas  are  a  special  case  of  waiting-for  formulas, 
it  is  not  surprising  that  their  proof  can  also  be  conveniently  represented  by  proof  diagrams. 
A  proof  diagram  D  is  defined  to  be  invariance-sound  if 

•  D  is  sound  (in  the  sense  defined  for  waiting-for  diagrams). 

•  There  are  no  terminal  nodes,  i.e. ,  F  =  4>  and  therefore  M  —  N .  This  reflects  the 
fact  that  q  =  F. 

•  0  ->  V3/- 

Incorporating  monotonicity,  diagram  D  is  said  to  be  mvanance-vaixd  with  respect  to  q> 
if  it  is  invariance-sound  (satisfies  the  three  requirements  listed  above)  and,  in  addition, 
satisfies 

•  —  <P 

The  following  claim  summarizes  the  use  of  invariance- valid  diagrams. 

Claim  2  If  diagram  D  is  invanance-valid  with  respect  to  assertion  <P,  then  the  formula 

□¥> 

is  P -valid. 

As  an  example,  we  present  in  Fig.  6  a  proof  diagram  that  is  invariance- valid  over 
program  ANY-Y  with  respect  to  :  at.l2  — »  x  =  1.  It  is  not  difficult  to  verify  that  the 
diagram  of  Fig.  6  is  sound.  One  of  the  important  steps  in  this  verification  observes  that 
transition  to  is  disabled  on  node  n i,  while  transition  l\  is  disabled  on  n0  Therefore,  t0 
trivially  preserves  :  at.liAx  -  OA-'at.^,  while  preserves  <f0  ■  at.loA  x  ~  OA  ^at.t7. 
It  is  also  evident  that  this  diagram  has  no  final  nodes  Invariance-soundness  is  completed 
by  checking  the  obviously  valid  implication 

it  =  {f0i  Too}  A  X  —  0  A  •  •  •  — *  at.to  A  x  -  0  A  ^ai.t2  ■ 

V  v-  “  ^  ^  . V  ■- 

©  'Pr'f  o 

Validity  with  respect  to  at.l2  — *  x  =  1,  which  can  also  be  written  as  -~at.t2  Vi  =  1, 
follows  from  the  implication 

(at.  t0  A  x  =  0  A  ~<ai.t2)  V  (at.l\  A  x  =  0  A  ~^at-l2)  V  (x  =  1)  — *  -^at.t2  V  x  -  1 

--  -  '-v~  -  -  .  — "  '■■1-  -  — 

'Pm-'Pov'Piv'Pi 

The  same  property  can  also  be  established  by  the  simpler  diagram 

x=0A  ^at.l2  ~j - — - ^  x  -  1  ~') 
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x  =  0  A 


tPo  at -l o 


<Pi  ■  at-ti 


n2 

V>2  ■  2=1 


Figure  6  An  invariance  proof  diagram. 


2.7  Verifying  Response  Properties 

Here  we  consider  rules  (and  diagrams)  for  verifying  the  validity  of  a  response  formula 
p  = for  the  case  that  p  and  q  are  assertions. 

The  basic  response  rule  RESP  relies  on  a  helpful  transition  rh  whose  activation  accom¬ 
plishes  the  goad  q  in  one  helpful  step.  It  also  uses  an  auxiliary  assertion  f,  characterizing 
the  situation  between  the  occurrence  of  p  and  the  occurrence  of  q. 


RESP  Rl.  p  =>-  (qW) 

R2.  W7-hM,w}  | 

R3.  {¥>}  Th  {?}  j 

R4,  <f  =>-  (q  V  En(rh))  j 

P  =>-  Oq 

Premise  Rl  ensures  that  p  entajls  q  or  f.  Premise  R2  states  that  any  transition  of  the 
program,  excluding  rh,  either  leads  from  to  q,  or  preserves  <P.  Premise  R3  states  that 
the  helpful  transition  leads  from  V  to  q.  Premise  R4  ensures  that  r *  is  enabled  on 
any  ‘P-state  that  does  not  satisfy  q  It  is  not  difficult  to  see  that  if  p  happens,  but  is  not 
followed  by  a  q ,  then  P  must  hold  continuously  beyond  this  point,  and  r*  is  not  taken. 
However,  due  to  R4,  this  means  that  rh  is  continuously  enabled  but  never  taken,  which 
violates  the  requirement  of  justice  with  respect  to  rh.  Consequently,  any  occurrence  of  p 
must  be  followed  by  an  occurrence  of  q. 

We  illustrate  the  use  of  rule  RESP  for  proving  the  response  property 

at  . m0  ->  0(2  =  1) 

for  program  ANY-Y 


As  the  helpful  transition  r>,  we  take  m0.  As  the  intermediate  assertion  <p  we  take 
p  :  at_m0.  Premise  Rl  assumes  the  form 

at_m0  — *  •  •  •  V  oLmo  , 

p  ip 

which  is  obviously  valid.  Premise  R2  requires  showing  that  all  transitions,  excluding  rn0, 
preserve  ¥>  :  at_mo  which  is  clearly  the  case. 

Premise  R3  requires  showing  that  mo  leads  from  any  <P- state  to  a  9-state,  expressed 

by 

;  •  •  A  X  =  1,A  •  •  •  — +  X  =  1^  , 

Pmo  9' 

which  is  obviously  valid.  Finadly,  R4  requires 
at_m0  — *  •••  V  oLmo  , 

V3  £n(m0) 

which  is  also  valid.  This  establishes  that  the  response  property  at_mo  =>- O  =  1)  is 
valid  over  program  ANY-Y. 


Combining  Response  Properties 

Not  all  response  properties  are  achieved  by  a  single  activation  of  a  helpful  transition.  In 
general,  several  helpful  steps  are  necessary.  In  this  subsection,  we  present  several  rules 
that  may  be  used  to  combine  single-step  response  properties  into  more  complex  response 
properties. 

First,  we  list  two  basic  rules,  which  express  the  monotonicity  and  transitivity  of  re¬ 
sponse  properties. 


R-MON  p=X<>9 

R-TRANS  p^-Oq 

p'  — »  p  ,  ?  ~ *  <7' 

q^-Or 

p'^Oq' 

P=^Or 

The  last  rule  for  response  is  R-CASE,  which  allows  proofs  by  case  analysis. 

R-CASE  p  =>-  O  9 

(pVr)=^0? 

We  will  illustrate  the  use  of  these  rules  by  proving  termination  of  program  ANY-Y,  ex¬ 
pressible  by 

O  (at_£2  A  at_mi ). 

The  proof  consists  of  the  following  steps: 

1 .  at  0  A  at_m0  Ai  =  0  =S-  O  ( at- fo.i  A  at ^ mi  A  x  =  1 ) 

by  rule  RESF,  taking  t>,  :  mc  and  V3  :  at_f0,i  A  at_Tn0  A  x  —  0 

2.  at  _£0  A  at_m]  A  x  =  1  O  (at  -fj  A  at_mi) 

by  rule  RESP,  taking  rj,  :  f0  and  ‘P  :  at_f0  A  at.,  mi  A  z  -  1 

3.  at-lj  A  at-.rri]  Ax  -  1  =>-  <>(at_/0  A  aCmi  A  x  =  1) 

by  rule  RESP,  taking  r*  :  li  and  V3  :  at_fj  A  at_m,  A  x  -  1 
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4.  at„i\  A  at~m j  A  x  —  1  =t-  Q  A  a/.mj) 

by  rule  R-TRANS,  applied  to  3  and  2 

5.  (at_^o  A  at~mi  A  x  =  1)  V  (at_^i  A  at-mx  A  x  =  1)  =>-  O  (at^  ^2  A  at^m  s  j 

by  rule  R-CASE.  applied  to  2  and  4 

6.  at_f0,i  A  at_mx  A  x  =  1  — *  (a<_/0  A  at_rai  A  x  =  1}  V  (at_/j  A  at .  m,  A  x  =  1 ) 

an  assertional  validity 

7.  ai-4,i  Aai.mi  Ai  =  1  =>-  O  (at-^2  A  rri!) 

by  rule  R  MON,  using  5  and  6 

8.  at  _l0  A  at~m0 /\  x  —  0  =>•  0(<ii-4  A  aLrri]) 

by  rule  R-TRANS,  applied  to  i  and  7 

9.  ©  — *  at„l0  A  a£_m0  A  1  =  0 

an  assertional  validity 

10.  0  =>-  O  (at_^2  A  a<_mj) 

by  rule  R-MON,  appbed  to  8  and  9 

11.  0(<**-^2Aat_T7ii) 

by  rule  IN1T,  applied  to  10 

The  combination  of  rules  RESP,  R-MON.  R-TRANS,  and  R-CASE  with  well-founded  induc¬ 
tion  is  complete  for  proving  the  P- validity  of  any  response  formula  p  =>-  O  q  for  assertions 
p  and  q  [MP91aj. 

Proof  Diagrams  for  Response 

As  seen  in  the  previous  proof,  it  is  often  the  case  that  a  proof  of  a  response  property 
involves  several  applications  of  rule  RESP.  Such  a  proof  can  be  conveniently  represented 
in  the  form  of  a  response  proof  diagram. 

A  response  diagram  is  a  proof  diagram  in  which  some  of  the  edges  are  drawn  in  a 
special  tont.  In  this  paper,  we  draw  them  as  dotted  lines.  We  refer  to  such  edges  as  the 
helpful  edges.  They  correspond  to  the  helpful  transitions. 

4  response  diagram  D  is  defined  to  be  response-sound  if  it  satisfies 

•  D  is  sound,  i.e.,  it  satisfies  all  the  verification  conditions. 

•  Every  non  terminal  node  n ,  £  M  has  a  helpful  edge  departing  from  it. 

•  The  graph  of  D  is  acyclic,  i.e.,  D  contains  no  cycle. 

•  If  the  helpful  edge  departing  from  n,  €  M  is  labeled  by  transition  r,  then 

— *  En(r) 

is  valid  This  condition  corresponds  to  premise  R4  of  rule  RESP 

A  response  diagram  is  response-valid  with  respect  to  assertions  p  and  q  if  it  is  response 
sound  and  the  following  two  implications  are  assertionallv  valid 

p  *  f  1 

i C  F  *  '/ 

I  he  following  claim  summarizes  the  use  of  response  valid  diagrams 


Claim  3  If  diagram  D  is  response-valid  with  respect  to  assertions  p  and  q,  then  the 
formula 

p  =>■  Oq 

is  P-valid. 

In  Fig.  7  we  present  a  response  diagram  that  is  response-valid  over  program  ANY-Y 
with  respect  to  p  :  0  and  q  :  at_/3  A  at_m\.  It  is  not  difficult  to  check  that  this  diagram 


Figure  7:  A  response  proof  diagram. 

is  sound,  i.e.,  satisfies  all  the  verification  conditions.  It  is  obviously  acyclic,  and  every 
M-node  (i.e.,  every  node  except  the  final  one),  has  a  helpful  edge  departing  from  it. 

It  is  also  straightforward  to  check  that  m0  is  enabled  on  any  state  satisfying  the 
assertion  at. to, i  A  at_m0  A  x  =  0,  lx  is  enabled  on  any  state  satisfying  at.lx,  and  l0  is 
enabled  on  any  state  satisfying  at. to  A  oi-mj  Ai  =  1. 

Finally,  to  check  validity  with  respect  to  0  and  at  t2  A  a Lmi,  we  observe  the  state 
validity 

al.<oAai.moAi  =  0Ay  =  0  — *  aLf0i  A  ai.Tn0  Ai  =0 

- - v - ' 

e 

and  the  fact  that  q>f  is  at. £2  A  at.m 

We  may  conclude  from  the  diagram  that  the  response  property 

0  O  {at.l2  A  at  _mi ) 

is  valid  for  program  ANY-Y.  By  rule  INIT,  we  may  conclude  that  ANY-Y  always  terminates 
It  is  interesting  to  note  that  each  helpful  edge  corresponds  to  a  single  application  of 
rule  R ESP  in  the  previously  presented  deductive  proof  of  the  same  property,  i.e  ,  steps  1, 
2,  and  3  in  the  proof. 


3  Real-Time  Systems 

The  next  model  we  consider  introduces  the  metric  aspect  of  time,  and  provides  a  measure 
for  the  time-distance  between  events  as  well  as  for  the  duration  of  activities  in  the  system. 

The  specific  model  we  present  here  was  introduced  and  discussed  in  [HMP911,  [HMP92J. 
A  closely  related  model  was  presented  in  (AL92j.  Many  of  the  Process  Algebra  extensions 
to  real-time,  such  as  [NSY92],  [MT90],  and  many  others  listed  in  [Sif9lj,  are  based  on 
very  similar  assumptions. 

3.1  Computational  Model:  Timed  Transition  System 

As  the  time  domain  we  take  the  nonnegative  reals  R+.  In  some  cases,  we  also  need  its 
extension  R°°  =  R+  U  {00} . 

A  timed  transition  system  (TTS)  5  =  (V,Q,T  ,l,u)  consists  of  the  following  compo¬ 
nents: 

•  V  =  (iii, . un}  :  A  finite  set  of  state  variables.  A  state  is  any  type  consistent 
interpretation  of  V.  The  set  of  all  states  is  denoted  by  £. 

•  0  :  The  initial  condition.  A  satisfiable  assertion  characterizing  the  initial  states. 

•  T  :  A  finite  set  of  transitions.  Each  transition  r  f  T  is  a  function 

r  :  S  2E, 

defined  by  a  transition  relation  fiT(K  V). 

•  A  minimal  delay  lT  £  R+  (also  called  lower  bound )  for  every  transition  r  £  T . 

•  A  maximal  delay  uT  £  R°°  (also  called  upper  bound)  for  every  transition  r  £  T  It 
is  required  that  uT  >  lT  for  all  r  £  T. 

Note  that,  in  going  from  a  fair  transition  system  to  a  timed  transition  system,  we  elimi¬ 
nate  the  fairness  related  components  of  justice  and  compassion  and  replace  them  by  the 
specification  of  lower  and  upper  bounds. 

We  introduce  a  special  variable  T,  sometimes  called  the  clock  variable.  At  any  point 
in  an  execution  of  a  system,  T  has  a  value  over  R+  representing  the  current  time.  The 
set  of  variables  Vj  —  V  U  { T }  is  called  the  set  of  situation  variables.  A  type  consistent 
interpretation  of  Vj  is  called  a  situation,  and  the  set  of  all  situations  is  denoted  by  Hr 
Often,  we  represent  a  situation  as  a  pair  (s,t)  where  s  is  a  state  and  t  £  R~  is  the 
interpretation  of  the  dock  T. 

To  simplify  the  formalism,  we  assume  that  all  transitions  are  self  disabling.  This  means 
that  no  transition  r  £  T  can  be  applied  twice  in  succession  to  any  state,  implying  that  r 
is  disabled  on  any  r-successor  of  any  state,  i.e.,  r(r(s))  ~  <f>  for  any  s  Consequently,  we 
exclude  the  idling  transition  r;  from  timed  transition  systems. 


Computations 

A  computation  of  a  timed  transition  system  is  an  infinite  sequence  of  situations 
o'  (•*<>, to)>  (si,ti),  (s2,t-2),  , 

satisfying: 

•  Initiation:  So  h  0  and  to  ~  0. 

•  Consecution:  For  each  j  =  0, 1, . 

-  Either  tj  =  iJ+1  and  £  r(sj)  f°r  s°nie  transition  r  g  T,  or 

-  Sj  =  4j+i  and  tj  <  tj+ We  refer  to  this  step  as  a  tick  step ,  implying  that  time 
has  progressed. 

•  Lmer  bound:  For  every  transition  r  £  T  and  position  j  >  0,  if  r  is  taken  at 

j,  there  exists  a  position  such  that  ti  -f  lT  <  and  r  is  enabled  on 

ai+l  »  •  •  •  !  Si' 

This  implies  that  r  must  be  continuously  enabled  for  at  least  lr  time  units  before  it 
can  be  taken. 

•  Upper  bound:  For  every  transition  r  £  X  and  position  i  >  0,  if  t  is  enabled  at 
position  i,  there  exists  a  position  j,  i  <  j ,  such  that  t,  +  uT  >  tj  and  r  is  disabled 
on  Sj. 

In  other  words,  r  cannot  be  continuously  enabled  for  more  than  uT  time  units 
without  being  taken. 

•  Time  Divergence:  As  i  increases,  t;  grows  beyond  any  bound. 

Unlike  the  untimed  case,  it  is  not  necessary  to  require  that  every  state  has  at  least  one 
transition  enabled  on  it.  This  is  because,  even  if  all  transitions  are  disabled,  we  can 
always  take  tick  steps  which  ensures  that  all  computations  are  infinite.  Consequently,  we 
no  longer  need  the  idling  transition  and  its  removal  causes  no  harm. 

The  upper  bound  requirement  claims  an  equivalence  between  the  formal  condition 
that  t  is  disabled  on  Sj,  for  some  j  >  x,  ti  -f  uT  >  tj,  and  the  intended  requirement  that 
r  cannot  be  continuously  enabled  for  more  than  uT  time  units  without  being  taken.  This 
equivalence  holds  only  due  to  the  assumption  that  transitions  are  self  disbaling.  Without 
this  assumption,  we  would  have  to  require  that  there  exists  some  j  >  t,  U  +  ur  >  i3l 
such  that  either  r  is  disabled  on  Sj  or  r  is  taken  at  position  j  —  1.  The  simplification 
resulting  from  the  self-disabling  assumption  becomes  significant  when  we  express  the 
formal  condition  as  a  formula. 

As  shown  in  [HMP91],  the  model  of  timed  transition  systems  is  expressive  enough 
to  capture  most  of  the  features  specific  to  real-time  programs  such  as  delays,  timeouts, 
preemption,  interrupts  and  multi-programming  scheduling. 

Example 

Consider  the  simple  timed  transition  system  given  by: 


27 


•  State  Variables  V  :  {x,y}. 

•  Initial  Condition:  ©  :  (x  =  0)  A  (y  =  0). 

•  Transitions:  T  :  {fo,Ti,T2}  where 


r 

Pr 

lr 

UT 

To 

(y  —  0)  A  even(x)  A  (x'  =  x  +  1) 

1 

2 

Tl 

(y  =  0)  A  odd(x)  A  (x1  =  x  +  1) 

1 

2 

Ti 

(y  =  0)  A  (y'  =  1) 

3 

3 

The  predicates  even(x)  and  odd(x)  test  whether  the  value  of  x  is  even  or  odd,  respectively. 

We  present  two  computations  of  this  timed  transition  system.  The  first  computation 
o'!  attempts  to  let  x  reach  its  maximal  possible  value.  Therefore,  we  always  try  to  activate 
Tq  and  Ti  at  the  first  possible  position  and  r2,  which  causes  all  three  transitions  to  become 
disabled,  as  late  as  possible. 

<7!  :  (x  :0,  y  :0,  T  :  0)  ^  (x  :  0 ,  y  :  0 ,  T  :  1)  (x  :  1 ,  y  :  0 ,  T  :  1) 

(x:l,y:0,T:2)  (x  :  2  ,  y  :  0  ,  T  :  2)  ^  (x  :  2  ,  y  :  0 ,  T  :  3)  ^ 

(x  :  3  ,  y  :  0 ,  71 :  3)  (x  :  3  ,  y  :  1  ,  T  :  3) 

Note  that  transition  To  cannot  be  taken  before  T  >  1  and,  after  it  is  taken,  we  must  wait 
one  additional  time  unit  before  being  able  to  take  Ti .  Transition  r2  must  be  taken  before 
time  progresses  beyond  3  in  order  to  respect  its  upper  bound. 

The  second  computation  ar2  attempts  to  keep  the  value  of  x  as  low  as  possible.  Con¬ 
sequently,  it  delays  the  activation  of  r0  to  the  latest  possible  position  and  tries  to  activate 
r2  at  the  earliest  possible  position. 

<r2  :  <x  :  0  ,  y  :  0  ,  T  :  0)  ^  (x  :  0  ,  y  :  0  ,  T  :  2}  (x  :  1  ,  y  :  0  ,  T  :  2)  ^ 

{x  :  1 ,  y  :  0 ,  T  :  3}  — (x  :  1 ,  y  :  1 ,  T  :  3}  ^  •••  J 

We  say  that  a  transition  r  is  ripe  at  position  j  if  it  has  been  continuously  enabled  for 
uT  time  units. 

There  are  several  observations  that  can  be  made  concerning  the  computational  model 
of  timed  transition  systems. 

•  Computations  alternate  between  tick  steps  that  advance  the  clock  by  a  positive 
amount  and  (possibly  empty)  sequences  of  state-changing  transitions  that  take  zero 
time. 

•  Transitions  mature  together  but  execute  separately  in  an  interleaving  manner. 

•  Time  can  progress  only  after  all  ripe  transitions  are  taken  or  become  disabled. 

•  When  time  progresses,  it  can  jump  forward  only  by  an  amount  on  which  all  the 
enabled  transitions  agree.  That  is,  it  must  be  such  that  it  will  not  cause  any  enabled 
transition  to  become  ‘over-ripe.” 
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The  requirement  of  time  divergence  excludes  Zeno  computations  in  which  there  are  in¬ 
finitely  many  state-changes  within  a  finite  time  interval  [AL92j.  Unfortunately,  not  every 
timed  transition  system  is  guaranteed  to  have  computations  that  satisfy  all  the  require¬ 
ments  given  above. 

Consider,  for  example,  a  TTS  with  a  state  variable  x,  initial  condition  x  =  1  and  two 
transitions  and  r2  whose  transition  relations  and  time  bounds  are  given  by 


r 

fir 

K 

Ur 

ri 

x  >  0  A  x'  =  —x 

0 

0 

t2 

x  <  0  A  x1  —  -x 

0  l 

0 

This  TTS  does  not  have  a  computation.  This  is  because  one  of  rx  or  t2  is  always  enabled 
(and  ripe)  and  does  not  allow  time  to  progress. 

A  transition  whose  maximal  delay  is  0  is  called  an  immediate  transition.  Let  %  denote 
the  set  of  all  immediate  transitions.  A  Zeno  sequence  is  an  infinite  sequence  of  states 
so.ai,.  •  • ,  such  that,  for  every  i  =  0, 1, ... ,  there  exists  a  r  €  T0  such  that  j,+j  6  r(st). 
The  existence  of  such  a  sequence  may  cause  the  requirement  of  time  divergence  to  be 
violated,  since  time  cannot  progress  until  all  enabled  immediate  transitions  are  taken 
and,  if  there  are  infinitely  many  of  them,  time  will  never  progress. 

A  TTS  is  called  progressive  if  it  cannot  generate  a  Zeno  sequence.  Progressive  systems 
cannot  have  an  infinite  chain  of  immediate  transitions  and  are,  therefore,  guaranteed  to 
have  at  least  one  computation. 

From  now  on,  we  restrict  our  attention  to  progressive  transition  systems. 

3.2  System  Description  by  Timed  Statecharts 

A  very  convenient  specification  of  timed  systems  can  be  obtained  by  extending  the  visual 
notation  of  statecharts  [Har87]  by  annotating  each  transition  with  a  pair  of  numbers  [l,  ui, 
denoting  the  lower  and  upper  time  bounds  of  that  transition.  As  an  example,  we  present 
in  Fig.  8  a  timed  specification  of  a  producer-consumer  system. 

The  diagram  consists  of  two  processes  (automata):  Prod  and  Cons,  which  operate 
concurrently.  Process  Prod  represents  a  producer  that  produces  a  positive  value  in  x  and 
places  it  in  the  buffer  variable  b.  Process  Cons  waits  for  b  to  become  positive  and  then 
copies  b  to  its  working  variable  y  while  resetting  6  to  0. 

A  label  of  a  transition  in  this  statechart  specification  has  the  form 

name  :  cj assignment, 

where  name  is  an  optional  name  of  the  transition  (with  no  semantic  meaning),  c  is  a 
triggering  condition  which  causes  the  transition  to  become  enabled,  and  assignment  is  an 
optional  assignment  which  is  executed  when  the  transition  is  taken.  When  the  transition 
has  the  trivial  triggering  condition  T,  such  as  transition  lx  in  the  diagram,  we  omit  the 
separator  ‘/’  from  the  label.  In  this  case,  the  transition  is  enabled  whenever  the  state 
from  which  it  departs  (state  produce  in  the  diagram)  is  active. 

In  addition,  each  transition  is  optionally  labeled  by  a  pair  of  real  numbers  which 
specify  the  minimal  and  maximal  delays  of  the  transition.  Transitions  that  are  not  ex¬ 
plicitly  labeled  are  considered  to  be  immediate,  i.e.,  to  have  the  time  bounds  [0,0: 

In  the  description  of  Fig.  8,  states  produce  and  consume  are  identified  as  taking  time 
This  is  seen  by  the  fact  that  the  transitions  departing  from  these  states  have  time  bounds. 
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Initially  x  —  b  =  y  =  0. 


On  the  other  hand,  states  send  and  receive  are  described  as  immediate,  and  can  be  exited 
as  soon  as  the  transitions  departing  from  them  are  enabled. 

In  the  example  presented  here,  the  two  concurrent  processes  communicate  by  the 
shared  variable  b. 

The  diagram  contains  a  transition  k  leading  from  the  compound  state  Normal  to  state 
Error.  This  transition  identifies  an  error  state  occurring  when  the  producer  is  at  state 
send,  ready  to  send  its  next  produced  value  (and  hence  x  >  0),  while  the  buffer  is  still 
occupied  6  >  0.  Obviously,  if  the  producer  were  to  proceed,  the  value  currently  stored  in 
b  would  be  lost. 

An  interesting  analysis  question  one  would  like  to  address  in  this  situation  is  the 
conditions  under  which  state  Error  is  guaranteed  to  be  unreachable.  A  simple  calculation 
implies  that 

li  >  u2 

is  a  sufficient  condition  for  the  unreachability  of  Error.  This  is  because  two  consecutive 
executions  of  transition  t2  which  assigns  a  positive  value  to  b,  must  be  separated  by  at 
least  1]  time  units.  Assuming  that  the  first  assignment  caused  process  Cons  to  move  from 
state  receive  to  state  consume,  it  will  return  to  state  receive  within  at  most  u2  <  l \  time 
units.  Thus,  when  b  is  assigned  a  new  value  by  t2,  Cons  is  already  waiting  at  state  receive 
with  y  —  0. 

The  associated  formal  question  is  how  can  this  fact  be  proven  formally.  In  the  sequel 


we  discuss  an  approach  to  the  verification  of  such  statements. 

Timed  Statecharts  as  a  TTS 

While  we  refer  the  reader  to  [KP92b]  for  a  full  definition  of  the  semantics  of  timed  stat¬ 
echarts,  we  show  here  how  statechart  PROD-CONS  of  Fig.  8  can  be  viewed  as  a  timed 
transition  system. 

As  we  see  in  the  diagram,  a  statechart  contains  basic  states  which  do  not  contain 
other  states  and  compound  states  which  do.  For  example,  states  produce ,  send ,  receive, 
consume,  and  Error  in  statechart  PROD-CONS  are  basic,  while  states  Prod,  Cons,  and 
Normal  are  compound.  We  refer  to  the  direct  descendants  of  a  compound  state  as  its 
children.  Thus,  the  children  of  state  Prod  are  produce  and  send,  the  children  of  Cons  are 
receive  and  consume,  and  the  children  of  Normal  are  Prod  and  Cons.  States  Prod  and 
Cons  are  (exclusive)  or-states.  A  basic  state  is  considered  active  if  the  system  is  currently 
at  this  state.  An  or-state  is  active  if  precisely  one  of  its  children  is  active.  State  Normal, 
on  the  other  hand,  is  an  and-state.  An  and-state  is  active  if  all  of  its  children  are  active. 
Or-  and  and-states  correspond  to  sequential  and  parallel  composition  of  their  children, 
respectively. 

Following  is  the  identification  of  the  constituents  of  the  timed  transition  system  cor¬ 
responding  to  statechart  PROD-CONS. 

•  State  Variables:  As  state  variables  we  take  the  control  variable  x  and  the  integer 
data  variables  x,  b,  and  y.  Variable  rr  ranges  over  subsets  of  the  basic  states  produce, 
send,  receive,  consume,  and  Error. 

•  Initial  Condition:  given  by 

0  :  7r  =  {produce,  receive}  A  x  =  b  =  y  =  0. 


•  Transitions,  lower  and  upper  bounds:  are  listed  in  the  following  table.  For  simplic¬ 
ity,  we  omitted  all  conjuncts  of  the  form  u'  =  u  for  any  state  variable  u 


T 

Pr 

M 

uT 

h 

produce  G  7r  A  s'  —  ic  {produce}  U  {send}  A  x'  >  0 

h 

« 1 

f-2 

send  G  7r  A  ir'  =  ir  —  {send}  U  {produce}  A  b'  —  x  A  x'  =  0 

0 

0 

mj 

receive  G  ir  A  6  >  0  A  rr'  —  7r  —  {receive}  U  {consume} 

1 

A  y  =  b  A  b'  —  0 

0 

0 

m2 

consume  G  n  A  ir'  —  it  -  {consume}  U  {receive}  A  y'  —  0 

u2 

k 

( Normal  D  it)  <j>  A  x  >  0  A  b  >  0  A  s'  —  n  —  Normal  U  {Error} 

|o 

0 

Note  that  transition  l\  takes  any  positive  value  as  a  “produced  value.”  The  set  Normal, 
appearing  in  the  relation  for  transition  k,  stands  for  {produce,  send,  receive,  consume} . 

Timed  Extension  of  the  Textual  Language 

In  the  previous  section  (subsection  2.2),  we  introduced  the  simple  programming  language 
SPL  for  the  qualitative  model.  What  extensions,  if  any,  are  necessary  to  deal  with  real 


On  the  lowest  level,  very  few  extensions  are  necessary.  At  the  minimum,  it  is  only 
necessary  to  assign  time  bounds  to  the  transitions  associated  with  statements  of  the 
program.  For  example,  we  can  assign  uniform  time  bounds  lr  =  L  and  uT  =  U  to  every 
transition.  As  mentioned  earlier,  the  set  of  transitions  associated  with  a  real-time  program 
no  longer  includes  the  idling  transition  t,  . 

It  is  obvious  that  with  this  time  bounds  assignment  each  SPL  program  can  be  viewed 
as  a  TTS. 

With  this  timing  assignment,  we  may  reconsider  a  program  such  as  ANY-Y  and  claim 
for  it  some  stronger  properties.  For  example,  the  property  of  termination  can  now  be 
quantified  by  saying  that  the  program  terminates  within  3  -U  time  units.  In  the  following 
subsections  we  will  show  how  such  properties  are  specified  and  verified. 

However,  we  may  become  more  ambitious  and  attempt  to  describe  within  SPL  a  system 
such  as  the  producer-consumer  system  presented  in  Fig.  8.  To  do  so,  we  have  to  extend 
SPL  by  additional  statements.  We  refer  the  reader  again  to  (KP92bj  where  such  extensions 
are  discussed. 

To  distinguish  between  the  interpretation  of  a  program  P  as  a  fair  transition  system 
and  its  interpretation  as  a  timed  transition  system  (when  provided  time  bounds  for  its 
transitions),  we  denote  the  latter  as  Pt .  For  example,  the  property  of  termination  within 
3  •  U  time  units  is  valid  for  ANY-Yr  but  not  for  program  ANY-Y.  This  property  is  actually 
meaningless  for  ANY-Y,  whose  computations  as  a  fair  transition  system  do  not  contain 
any  timing  information. 

3.3  Requirement  Specification  Languages 

To  specify  properties  of  timed  systems,  we  use  the  language  of  temporal  logic  with  appro¬ 
priate  extensions.  There  have  been  several  proposals  for  such  extensions.  Here  we  present 
only  two  of  them. 

To  inspect  the  utility  of  these  languages,  we  will  demonstrate  their  ability  to  specify 
two  important  timed  properties: 

•  Bounded  response:  Every  p  should  be  followed  by  an  occurrence  of  a  q,  not  later 
than  d  time  units. 

•  Minimal  separation:  No  q  can  occur  earlier  than  d  time  units  after  an  occurrence 
of  p. 

Metric  Temporal  Logic  (mtl) 

One  approach  to  the  specification  of  timing  properties  presented  in  [HMP91,  introduces 
a  bounded  version  of  each  temporal  operator  (excluding  O  and  0 )  obtained  by  sub¬ 
scripting  the  operator  by  an  interval  specification  /.  An  interval  specification  may  have 
one  of  the  forms 

(/,u!  f/,u)  (l,  uj  (l.u). 

In  the  first  form,  it  is  required  that  /  <  u,  while  in  the  others  l  <  u.  The  semantic 
meaning  of  these  bounded  operators  is  straightforward.  For  example.  pU(tu\q  holds  at 
position  i  of  a  timed  computation  a  :  (s0,  t0),  (sj ,  <i ),  ...  iff  there  exists  aj,  i  <  j,  such 
that  t,  +  /  <  tj  <  t,  t  u,  q  holds  at  j ,  and  for  all  k ,  i  <  k  <  j ,  p  holds  at  k. 
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We  often  use  abbreviations  such  as  D<u  and  <><u  to  stand  for  D[o,u)  and  O(o,u!- 
This  approach  to  the  specification  of  timing  properties  has  been  advocated  in  ;  KVdR83], 
[KdR85],  and  [Koy90],  although  an  early  proposal  in  [BH81]  can  be  viewed  as  a  precursor 
to  this  specification  style. 

Metric  temporal  logic  can  easily  specify  the  properties  of  bounded  response  and  min¬ 
imal  separation. 

•  Bounded  response:  p  =>-  O  <j  q. 

•  Minimal  separation:  p  □<<<  -'q- 

Temporal  Logic  with  Age 

Another  approach  to  the  specification  of  timed  properties  introduces  a  temporal  function 
r(<P),  called  the  age  of  the  formula  V5.  The  age  function  measures  the  length  of  the  largest 
interval,  extending  through  the  past  to  the  present,  in  which  'P  has  been  continuously 
true.  More  precisely,  the  value  of  r(<P)  at  position  j  in  a  computation  a  is  defined  to  be 

•  the  largest  t  such  that,  for  some  i  <j,t  =  tj-t  i  and  V3  holds  at  all  positions  i, .  .  .  ,j, 
or 

•  0  if  P  does  not  hold  at  position  j. 

We  denote  by  TLr  the  logic  obtained  by  extending  temporal  logic  with  the  age  function. 
Note  that  the  value  of  r(trtte)  at  situation  ( Si,ti }  is  always  ti,  the  current  value  of  the 
clock  variable  T.  Consequently,  we  allow  formulas  in  TLr  to  refer  explicitly  to  the  clock 
variable  T.  In  this  respect,  TLr  can  be  viewed  as  an  extension  of  the  Explicit  Clock 
Temporal  Logic  considered,  for  example,  in  [PH88],  [HLP90],  and  [Ost90]. 

In  one  style  of  specification,  we  can  specify  the  two  yardstick  properties  using  only 
references  to  T  but  not  to  I\ 

•  Bounded  response:  p  A  T  =  t0  =>-  O  (g  A  T  <  to  +  d). 

•  Minimal  separation:  p  A  T  —  t0  =$-  □  (T  <  t0  +  d  — >  -•q). 

Another  style  of  specification  uses  the  age  function  but  does  not  refer  directly  to  the  clock 
T. 

•  Bounded  response:  o[r((-,9)‘S’  (p  A  “'9))  <  <*]■ 

•  Minimal  separation:  q  =$*-  (q(^p)  V  r(--p)>d^. 

The  formula  for  bounded  response  uses  the  subformula  ( ->g)  S  (pA -> q },  which  characterizes 
points  of  ungratified  request,  i.e.,  a  position  j  that  is  preceded  by  an  occurrence  of  p  but 
no  matching  q  appears  since  then  till  j.  The  full  formula  states  that  periods  of  ungratified 
request  cannot  extend  more  than  d. 

The  formula  for  minimal  separation  claims  that  an  occurrence  of  q  must  be  preceded 
by  a  p-free  period  that  extends  either  to  the  beginning  of  the  computation,  or  for  at  least 
d  time  units. 

An  assertion  that  may  refer  to  the  clock  variable  T  or  contain  age  expressions  of  the 
form  F(y>),  where  r/’  is  an  assertion,  is  called  a  timed  assertion. 


3.4  Verification  of  MTL  Formulas 

There  are  several  proof  rules  that  have  been  proposed  for  proving  properties  specified 
by  MTL  formulas.  We  refer  the  reader  to  [HMP91]  and  [Hen91]  for  a  deductive  system 
for  such  proofs.  Here  we  will  illustrate  only  a  set  of  rules  which  is  adequate  for  proving 
bounded  response  properties. 

There  is  a  strong  resemblance  between  the  rules  for  bounded  response  and  the  rules 
for  response,  presented  in  subsection  2.7. 

The  basic  response  rule  RESP  relies  on  a  helpful  transition  r y,  whose  activation  accom¬ 
plishes  the  goal  q  in  one  helpful  step.  Let  uy,  denote  the  maximal  delay  associated  with 
Th- 


B-RESP  Bl. 

p  =>■  (g  V  p) 

B2. 

M  T  -  {rh}  {g  V  <?} 

B3. 

M  n  {<?} 

B4. 

(g  V  En(rh)) 

P  =>■  0<uKq 

The  premises  of  rule  B-RESP  are  identical  to  those  of  rule  RESP,  but  the  conclusion  states 
not  only  that  every  p  is  followed  by  a  q  but  that  q  must  occur  within  uy,  time  units.  This 
is  because  a  p  not  followed  by  a  q  initiates  a  period  in  which  Ty,  is  continuously  enabled, 
and  such  a  period  cannot  extend  for  more  than  uy,. 

Consider  program  ANY-Y  and  assume  that  all  transitions,  excluding  rf,  are  assigned 
the  minimal  delay  l  :  1  and  the  maximal  delay  u  :  5.  We  refer  to  the  resulting  timed 
program  and  its  associated  TTS  as  ANY-Yr-  Rule  B-RESP  can  be  used  to  prove  the 
bounded  response  property 

at-m0  =>-  0<s(a:  =  l) 

In  fact,  no  new  proof  is  needed  since  we  have  established  all  the  premises  for  this  case  in 
subsection  2.7  while  proving  the  untimed  version  of  this  property  at-m0=>-  0(i  =  1). 

Combining  Bounded  Response  Properties 

As  in  the  untimed  case,  rule  B-RESP  is  useful  only  for  bounded  response  properties  that 
are  achieved  by  a  single  activation  of  a  helpful  transition.  We  present  here  several  rules 
that  may  be  used  to  combine  single-step  bounded  response  properties  into  more  complex 
bounded  response  properties. 

The  following  two  rules  express  the  monotonicity  and  transitivity  of  bounded  response 
properties. 


- - - - 1 

BR-MON  0<u<7 

! 

BR-TRANS  p=4~  0<u,9 

P'  -*  P  ,  9  ->  9' 

i 

q=^0<u^r 

p'=^0<  u</ 

1 _  _ 1 

i 

i 

P  O  <Uj-fU2^ 

Note  that  in  combining  bounded  response  within  u\  followed  by  a  bounded  response 
within  1/2,  the  resulting  response  has  the  upper  bound  Ui  +  U2- 

The  last  rule  for  bounded  response  is  BR-CASE,  which  allows  proofs  by  case  analysis 
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BR-CASE 


P=^0<u,9 

r=^0<^q 

(p  V  r)  =£*-  <^>  <mai(ui  ,uj)9 


Note  that  if  p  ensures  a  response  within  and  r  ensures  a  response  within  u2,  then  the 
best  upper  bound  we  can  expect  from  a  (p  V  r)-state  is  the  maximum  of  u2  and  u2. 

We  will  illustrate  the  use  of  these  rules  by  proving  termination  of  program  ANY-Yr 
within  15  time  units,  expressible  by 

O  <is(at-^2  A  at-mi). 

The  proof  follows  steps  identical  to  those  taken  in  the  proof  of  untimed  termination  of 
program  ANY-Y,  presented  in  subsection  2.7. 

1.  at_f0  A  at_m0  A  x  =  0  =>-  O  <s(at_f0,i  A  at_ma  A  x  =  1) 

by  rule  B-RESP,  taking  :  m0  and  <p  :  at_fo,i  A  at_m0  Ai  =  0 

2.  at_f0  A  af_mi  A  x  =  1  =>-  O  <s(at_f2  A  at_rrii) 

by  rule  B-RESP,  taking  Th  :  /o  and  :  at_f0  A  at-mi  A  x  =  1 

3.  at_fi  A  at_mi  A  x  =  1  O<s(at-fo  A  at_mi  A  x  =  1) 

by  rule  B-RESP,  taking  Th  '■  li  and  V  :  at_fi  A  ot_mi  Ai  =  1 

4.  at-li  A  a£_mi  A  x  =  1  =>-  Ocio(a*-^2  A  at_mi) 

by  rule  BR-TRANS,  appbed  to  3  and  2 

5.  (at-l0  A  at~m\  A  x  =  1)  V  (at-tx  A  a£_mi  A  x  =  1)  =S»-  O  <10(at_f2  A  at_m,) 

by  rule  BR-CASE,  applied  to  2  and  4 

6.  at-lo  i  A  at^nii  A  x  =  1  •— »  (a£_f0  A  sl_mi  A  x  =  1)  V  (a£_fi  A  at~Tnx  A  x  =  1) 

an  assertional  validity 

7.  a£_f0,i  A  at_mi  A  x  =  1  =>-  O  <io(at-f2  A  at_mi) 

by  rule  BR-MON,  using  5  and  6 

8.  at_fo  A  at_m0  A  x  =  0  =>-  0<i5(at_£2  A  at-mi) 

by  rule  BR-TRANS,  applied  to  1  and  7 

9.  0  — ♦  a£_f0  \  at-mo  A  x  =  0 

an  assertional  validity 

10.  0  =>-  O  <is(at_f2  A 

by  ruie  BR-MON,  applied  to  8  and  9 

11.  O  <i5(at-^2  A  at_mi) 

by  rule  INIT,  applied  to  10 


Proof  Diagrams  for  Bounded  Response 

Since  the  premises  for  the  bounded  response  rules  are  very  similar  to  those  of  the  response 
rules,  it  is  straightforward  to  represent  proofs  of  bounded  response  properties  by  response 
proof  diagrams.  The  only  additional  information  included  in  bounded-response  diagrams 
is  that  helpful  edges  are  labeled  by  a  number  representing  the  maximal  delay  of  the 
associated  helpful  transition. 

The  notions  of  a  diagram  being  response-sound-  and  response- valid  with  respect  to 
assertions  p  and  q  are  identical  to  those  of  the  untimed  case. 
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In  Fig.  9  we  present  a  bounded-response  diagram  that  is  response- valid  over  program 
ANY-Yx  with  respect  to  p  :  0  and  q  :  at.t2  A  at.m-^.  This  diagram  is  very  similar  to  the 
response  diagram  in  Fig.  7  except  for  the  maximal  delays  annotating  the  edges. 


Figure  9:  A  bounded  response  proof  diagram. 

Consider  a  path  connecting  an  initial  node  to  a  terminal  node  along  helpful  edges.  The 
weight  of  the  path  is  defined  as  the  sum  of  upper  bounds  along  the  path.  For  example,  the 
weight  of  the  path  traversing  the  four  nodes  in  the  diagram  of  Fig.  9  is  15.  In  comparison, 
the  path  that  proceeds  from  the  initial  node  directly  to  the  node  labeled  by  at.(0  has  the 
weight  10. 

We  define  the  weight  of  a  diagram  D  to  be  the  maximal  weight  of  a  path  connecting 
initial  to  terminal  nodes  in  the  diagram.  Obviously,  the  weight  of  the  diagram  in  Fig  9 
is  15.  It  is  not  difficult  to  see  that  the  weight  of  the  diagram  is  the  longest  delay  possible 
between  the  occurrence  of  a  state  satisfying  an  initial  assertion  (an  assertion  labeling 
an  initial  node)  and  the  occurrence  of  a  state  satisfying  a  terminal  assertion.  This  is 
summarized  in  the  following  claim. 

Claim  4  If  bounded-response  diagram  D  with  weight  w  is  response-valid  with  respect  to 
assertions  p  and  q,  then  the  formula 

P  =>-  0<« ,q 

is  Pt -valid. 

Since  the  proof  diagram  of  Fig.  9  has  been  previously  shown  to  be  response- valid  with 
respect  to  0  and  at. (.2  A  at.m\  and  its  weight  is  15,  we  conclude  that  the  bounded 
response  property 

0  =S>-  O  <i5(aCf2  A  at.mj) 

is  valid  for  program  ANY- Yj.  By  rule  1NIT,  we  may  conclude  that  ANY-Yr  always  termi¬ 
nates  within  15  time  units. 
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3.5  Verification  of  Age  Formulas 

For  verifying  properties  specified  by  TLr,  we  develop  an  extended  version  of  rule  WAIT. 
This  will  enable  us  to  prove  properties  expressed  by  formulas  of  the  form 

p  =£-  VV  q 

for  the  more  general  case  that  p,  <P,  and  q  are  timed  assertions,  i.e.,  state  formulas  that 
may  contain  references  to  the  clock  variable  T  and  occurrences  of  age  expressions  T (■*/>) > 
where  ip  is  a.  state  formula. 

Before  presenting  the  rule  itself,  we  will  present  some  axioms  governing  the  behavior 
of  age  expressions  and  the  timed  version  of  the  initiality  rule. 

Preliminary  Axioms  and  the  Initiality  Rale 

There  are  several  axioms  that  govern  the  range  of  age  expressions  and  are  valid  over  all 
computations  of  a  timed  transition  system  Pt- 

AGE-RANGE  :  0  <  T(rp)  <  T  for  every  formula  rp 

AGE-FALSE:  -‘ip  — *  T(tp)  —  0  for  every  formula  ip 

UPPER-BOUND  :  r(£n(r))  <  uT  for  every  transition  rfT 

We  may  use  these  axioms  freely  in  any  reasoning  step.  Note  that  a  consequence  of  AGE- 
RANGE  is  that  T  —  0  implies  T(ip)  =  0  for  every  ip. 

For  timed  transition  systems,  we  use  a  stronger  version  of  the  initiality  rule  INIT. 
Define  ©r  to  be 

0r  :  0  A  T  =  0. 

Then  the  timed  initiation  rule  T-INIT  specifies  that  any  formula  entailed  by  ©j  is  Px-vahd. 

T-INIT  ©r  =>-  rp  ! 

~  I 

Verification  Conditions 

In  preparation  for  rule  WAIT,  we  introduced  the  verification  condition  {p}  r  {q}  whose 
validity  ensures  that  every  r- successor  of  a  p- state  satisfies  q.  When  considering  compu¬ 
tations  of  a  timed  transition  system,  there  are  two  ways  to  get  from  a  situation  to  its 
successor:  by  taking  a  transition  or  by  letting  time  progress  (a  tick  step).  Consequently, 
we  introduce  two  verification  conditions. 

•  The  condition  {p}t{<?}t  is  given  by 

Pr  A  p  —  q 

where  p"  stands  for 

pT  A  T  =  T  A  lT  <  r( En(r ))  <  uT. 

In  addition  to  pT.  p*  also  requires  that  time  does  not  progress  and  that  r  has  been 
continuously  enabled  for  at  least  l7  and  at  most  ur  time  units. 
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•  The  condition  {p}  tick  {g}  is  given  by 
Puck  A  p  -»  q, 
where  ptlc i  stands  for 

V'  —  V  /\  T'  >  T  A  /\  (r'(£n(r))  <  uT). 

t  er 

The  formula  p,%ci  requires  that  the  state  variables  do  not  change,  time  progresses  by 
a  positive  amount,  and  no  transition  becomes  over-ripe  as  a  result  of  the  progress 
of  time. 

In  any  of  these  formulas  we  may  need  to  evaluate  the  primed  version  of  r(r),  denoted  by 
T'(r)  for  some  assertion  r.  This  is  given  by 

F'(r)  =  if  r'  then  T(r)  +  T'  —  T  else  0. 

For  a  set  of  transitions  5  C  T,  we  say  that  {p}  S  (g}T  is  valid  if  {p}  r  {g}r  is  valid  for 
every  rtS. 

As  in  the  untimed  case,  the  validity  of  {p}T  {g}r  and  {p}  tick  {q}  implies: 

if  (s,t)  and  { s',t ')  are  two  consecutive  situations  in  a  computation  of  P?  and 
(s,t)  satisfies  p,  then  {a',t')  satisfies  9. 

Let  us  check  the  verification  condition 


{at-ti  A  at.mx  A  1  =  1  A  T  <  5  +  r(ot_f1)  <  10}  tx 

{at.t0  A  at.  mi  A  x  =  1  A  T  <  10  -f  r(a/_f0)  <  1 5 }  T 

for  program  ANY-Yr  with  uniform  time  bounds  L  —  1  and  U  ~  5  Expanding  the 
definition  of  the  condition,  we  get 

/  £»(M  «<,  \ 

7r'  =  7T  —  U  {4}  A  x’  ~  x  A  ...  T'  —  T  A  .  . .  r(at_/j)  <  5 

x  - -  -  -  -  ^  —  -  -  -  -  -* 

A 

•  ■  ■  A  at  .mx  A  x  —  1  A  T  <  5  +  T(at.tx)  <  10 

V  "  p - '  / 

{at. to)'  A  (ai.m,)'  A  x'  =  1  A  T'  <  10  +  r'(at.f0)  A  15 
v"‘  "*"  1  . . . — . — '  — — —  —  ✓ 

<?’ 

Clearly  7r'  --  x  -  {f,}  J  {f0}  implies  {at.  f0)'  and  (at.m}y  -  at. mi  =  T  The  conjunct 
x  l  of  p  and  the  c  njunct  x'  x.  of  pj  imply  x'  =  1  Since  T'  ~  T.  we  obtain 
from  T  A  5  f  F(aC  and  F(at  ./,)  '  5  the  inequality  T'  <  10  from  which,  by  ACE 
RANGE,  follows  V  <  10  J-  F'( at  t0).  By  axiom  UPPER-BOUND,  r'(<it_f0)  •  5,  leading  to 
V  •  10  -  F'( at  fn)  ■:  15 
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Next,  let  us  check  the  verification  condition 

{at.lx  A  at.rrix  A  x  =  1  A  T  <  5  +  r(at_/i)  <  10}  tick 

{at.lx  A  at. mi  A  x  =  1  A  T<5  +  r(a<„fi)  <  10}. 

Expanding  its  definition  we  get 

f  ft1  =  it  a  x'  ■=  x  AT'  >  T  A  r'(a<_/,)  <  5  ^ 

N - - - ' 

Ptick 

A  — ► 

at_^at_m.!  Ai  =  1  AT  <5  +  V(at.lx)  <  10 
\  '  p  '  / 

(at-/])'  A  (o<_mi)'  Ax'  -  \  AT'  <5  +  r'(at_fi)  <  10 

\  -  -  -  -  —  -  -  --  ■-  -  

Since  7r'  =  7r  and  at.lx  A  at.mx  holds,  so  does  (at. lx)'  A  (at.m.x)'.  The  conjuncts  x'  —  x 
and  x  =  1  imply  x'  =  1.  Expanding  T'(at.lx)  under  (at. lx)',  we  obtain  r'(al_/!)  = 
T(a<_^i)  +  T'  —  T.  Consider  the  inequality  T  <  5  +  F(a<_fi ).  By  adding  T'  —  T  to  both 
sides,  we  obtain 

t  <  5  +  r(a«_/i)  +  r-r  =  5  +  r'(at-*i) 

Using  the  conjunct  <  5  from  ptiCk,  we  conclude 

T  <  5  +  r'(a£_/i)  <  10, 
establishing  the  last  conjunct  of  q' . 

A  Rule  for  Timed  Waiting-For 

The  following  rule  can  be  used  to  establish  the  Pr-validity  of  the  waiting-for  formula 
p  =>  <p  W  q  for  timed  assertions  p,  <P,  and  q,  over  a  given  timed  transition  system  Pr 


T-WAIT  Wl. 

P 

-♦ 

qVP 

W2. 

M 

T 

(?vt}t 

W3. 

M 

tick 

{q  v  y7} 

P 

=>- 

q>  W  q 

Rule  T-WAIT  can  be  used  in  conjunction  with  the  monotonicity  rule  W-MON  (applied  to 
timed  assertions).  Together  they  form  a  complete  system  for  proving  timed  waiting-for 
formulas  over  timed  assertions  p,  <P,  and  q. 

For  example,  we  can  use  rule  T-WAIT  to  prove  the  formula 

at  ..lx  A  at  _  mt  A  x  —  1  A  T  <  5  4  r(oC  l\ )  <  10 

N ^ - - 

p 

V 

,  . . - . -  - ^  ■  -  — . i  —  ■  - 

(at.lt  A  at  nix  A  x  ~  1  A  T  <  5  I  r(at_fi)  <  lOj  VV 

(at  I,,  A  al.mj  Ax  -  1  A  T  <  10  A  r(at_/o)  <  15) 
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for  program  ANY-Yp. 

We  take  p  and  P  to  be  at~lx  A  at_mx  Ai  =  1aT<5  +  r(at_^)  <  10  and  q  to  be 
at-lo  A  at-TTii  Ai  =  1AT<10  +  r(at_£0)  <  15.  Premise  W1  is  trivial  since  p  =  p>. 
For  premise  W2  we  have  to  prove 

A  at-mi  A  i  =  l  A  T<5  +  T (at-li)  <  loj  r 

at.i0  A  at_m ,  Ai  =  1aT<10  +  r(at_£0)  <  15 
-  V 

at-i\  A  flLm]  A  i  =  1  A  T<5  +  T(a<_£i)  <  10 

for  every  r  £  {Tnmo,lo,to,ti}-  For  t  —  l\  we  have  proven 

{at_fj  A  at-rrii  A  i  =  l  A  T<5  +  F(af_fi)  <  10}  fi 

{a*-f0  A  at^mi  Ai  =  1AT<10  +  r(at_f0)  <  15}r 

above.  For  all  other  transitions,  it  is  straightforward  to  prove 

A  at-mj  Ax  =  lAT<5  +  r(af_/x)  <  10}  r 

{at-ty  A  at.mj  Ax  =  lAT<5  +  T{at-h)  <  10}T 

Premise  W3  follows  from  {p}  tick  {v^}, 

{at-t\  A  at.mx  Ai  =  lAf<5+  r(a<_*,)  <  10}  bat 

A  ai_mj  Ax~lA7<5  +  r(at_fi)  <  10} 

which  has  also  been  proven  above. 

We  conclude  that  the  formula 

at-li  A  a<_mt  A  i  =  1  A  T<5  +  r(at_fj)  <10  =t- 

(at.li  A  at-Trtj  A  j  =  1  A  T<5  +  T(at_^,)  <  10)  W 

(a*-/o  A  at_mi  A  x  =  1  A  T  <  10  +  Y{at„l0)  <  15) 

is  valid  for  program  ANY-Yp- 

Using  Proof  Diagrams 

To  present  more  elaborate  proofs,  we  may  use  proof  diagrams  whose  nodes  are  labeled  by- 
timed  assertions. 

We  add  to  the  definition  of  a  sound  (and  valid)  proof  diagram  the  requirement 
•  For  every  n,elV  it  is  required  that  the  tick  verification  condition 

{Vi}  tick  {Vi} 

is  valid,  implying  that  each  of  the  assertions  is  preserved  under  the  progress  of  time 
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Let  us  consider  again  the  bounded  response  property  which,  in  MTL,  is  specified  as 


P  =*-  0<dq- 

In  this  form,  as  well  as  in  the  explicit  clock  style 

p  A  T  =  t0  =>-  O  (q  A  T  <  t0  +  d), 

this  property  appears  to  be  a  response  property.  However,  this  property  is  actually  a 
safety  property,  We  refer  the  reader  to  [Hen92]  and  [Pnu92]  where  it  is  pointed  out 
that  many  liveness  properties  become  safety  properties  when  we  consider  their  bounded 
version. 

In  fact,  the  TLr  specification  d(F  ((“'g)  S  (p  A  ->qfj  <  d)  identifies  bounded  response 
as  a  safety  property.  Here,  however,  we  prefer  to  work  with  another  equivalent  form 

p  A  T  —  t0  =>-  (T  <  t0  +  d)  W  q. 

This  waiting-for  formula  states  that,  following  every  occurrence  of  p  at  time  t0,  time 
cannot  progress  beyond  t$  +  d  without  encountering  an  occurrence  of  q. 

Let  us  show  that  this  formula  specifies  bounded  response  within  delay  of  at  most  d. 
Since  time  is  required  to  diverge,  the  waiting-for  formula  cannot  be  satisfied  by  T  <  t0  +  d 
holding  forever.  Thus,  there  must  exist  a  position  j  such  that  T  <  t0  -f  d  still  holds  at 
situation  ( Sj,tj ),  i.e.,  tj  <  t0  +  d,  while  q  holds  at  the  next  situation  Note 

that  q  is  an  assertion  depending  only  on  the  state  sJ+1  but  not  on  time.  According  to  the 
definition  of  a  computation,  there  are  two  cases:  either  tj  —  £J+1  or  tj  <  tj+i  but  then 
Sj  =  Sj+i .  In  the  first  case,  tj+i  <  t0  +  d  so  q  occurs  while  the  time  is  still  within  the 
bound  d.  In  the  second  case,  q  is  also  satisfied  at  situation  (sj,tj)  and,  again,  q  occurs 
within  bound  d. 

Let  us  prove  termination  of  program  ANY-Yr  within  15  time  units.  Using  rule  T-INIT, 
it  is  sufficient  to  prove 

©x  (T  <  15)  W  (at^(2  A  at-mi). 

The  proof  diagram  presented  in  Fig.  10  provides  a  proof  for  this  statement. 

It  is  not  difficult  to  show  that  the  diagram  is  sound.  For  example,  the  verification 
conditions  for  'Pi  (including  its  preservation  under  a  tick  step)  have  been  proven  above.  It 
remains  to  show  that  the  diagram  is  valid  with  respect  to  @r,  T  <  15,  and  at_l2  A  at^.mi 
The  condition  for  0j  is 

7r  =  {£o,m0}  Ai  =  0---AT  =  0  — *  at_f  0,i  A  at_m0  A  x  —  0  A  T  —  r(af_m0)  <  5  . 

—  ‘  ‘  -  - — '  V  ■  - -  ■■■■■■■  v*1"—  . . 

©r  P, 

Obviously,  7r  —  {^0,m0}  implies  aO^o.i  A  at.m0,  and  T  =  0  implies,  by  axiom  AGE- 
RANGE,  T  —  r(at_mo)  =  0  <  5.  The  condition  for  T  <  15  is 

V.  Pj  V, 

(•  •  •  A  T  =  •  •  •  <  5)  V  .  A  T  <  <  10)  V  ('•••  aT<  •••  <  15)  —  T  <  15. 

r  -  —  _  _  . 

"  1  1  -V-  ^  1  1  1  .  1  |M 

w 

which  is  obviously  valid.  The  condition  for  at_l2  A  aO.m  1  is  trivial  since  pf  ~  Pz  - 
at  _l2  A  at  „  rri} . 


Figure  10:  A  timed  waiting-for  proof  diagram. 

Proving  Untimed  Properties  of  Timed  Systems 

The  previous  examples  concentrated  on  proving  timed  properties,  i.e.,  properties  in  which 
time  is  explicitly  mentioned,  either  via  reference  to  T,  or  via  age  expressions,  or  via  bound 
subscripts  on  the  temporal  operators.  Another  interesting  class  of  properties  consists  of 
properties  that  do  not  refer  to  time  directly  but  whose  validity  over  a  program  PT  is  a 
consequence  of  the  timing  constraints  satisfied  by  the  computations  of  PT. 

For  example,  the  property  o(y  <  3)  is  valid  over  all  computations  of  program  ANY-Yr 
with  uniform  time  bounds  (1 , 5j .  It  is  certainly  not  valid  for  the  (untimed)  computations 
of  ANY-Y. 

To  prove  this  property,  we  first  derive  a  timed  version  of  rule  INV  for  establishing  the 
/V-validity  of  the  invariance  formula  □  ‘P  for  a  timed  assertion  V .  This  can  be  done  by- 
applying  rule  T- WAIT  with  p  —  0j  and  q  —  F  and  observing  that  <P  W  F  is  congruent  to 
□¥>.  Using  rule  T-INIT,  we  obtain  rule  T-INV. 


T-INV  11. 

&T  — *  P 

12. 

{v)T{v}t 

13. 

{<P}  tick  {v3} 

o<p 

Rules  T-INV  and  I-MON  (applied  to  timed  assertions)  serve  as  the  foundation  for  proving 
invariance  properties  by  proof  diagrams. 

We  say  that  a  proof  diagram  is  invariance-valid  with  respect  to  timed  assertion  <P  if 
it  is  sound,  F  —  <f>,  and  the  following  two  implications  are  valid: 

Or  — *  V3/ 

M  'P 

Obviously,  if  there  exists  a  diagram  that  is  invariance  valid  with  respect  to  F .  then  TJP  is 
Pt  valid 
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In  Fig.  11  we  present  a  proof  diagram  that  is  invariance- valid  with  respect  to  the 
asseition  y  <  3. 


a<_m0  A  x  =  0  f  at~m\  A  x  —  1 


Figure  11:  A  timed  invariance  proof  diagram. 

Let  us  present  some  arguments  for  the  validity  of  this  diagram.  First,  let  us  check  that 
all  assertions  appearing  in  the  diagram  are  preserved  by  a  tick  step.  The  only  interesting 
cases  are  assertions  containing  age  expressions.  The  relevant  expressions  are 

2  •  y  +  r(af_£0)  <  r(a/_7n0)  <  5  while  a£_4>  A  at_m0  holds, 

2  - y  +  1  +  r(at_^!)  <  r(a<_m0)  <  5  while  at-li  A  at_m0  holds. 

In  both  cases,  when  time  progresses  from  T  to  r>r,  both  sides  of  the  inequality  increase 
by  T'  —  T.  Furthermore,  r'(at_m0)  <  5  follows  from  the  definition  of  pnct- 

Next,  we  should  check  the  verification  conditions  corresponding  to  the  transitions 
labeling  edges  in  the  diagram.  The  verification  condition  corresponding  to  to  is 

p\ ^  A  at^lo  A  2  •  y  +  r(at_^o)  £  F(at_m0)  <  5 

— *  (at_/])'  A  2  •  y'  +  1  +  r'(at_^i)  <  r'(at_m0)  <  5 

Clearly,  p<0,  which  is  part  of  p^,  implies  (at_ti)'  and  y'  —  y.  The  rest  of  p}0  implies 
r(ai.<o)  >  1  and  T'  =  T ,  which  together  with  at^mo  leads  to  T'(at^mo)  —  T(at^mo) 
By  axiom  AGE-FALSE  and  the  definition  of  F7,  =  0.  We  thus  have 

2  -  y  +  1  +  F'(at_£i)  =  2-y  +  l  <  2  •  y  +  T(at^t0)  <  r(o<_m0)  =  V'(at-mo)  <  5. 

On  taking  transition  m0  from  any  of  the  assertions  appearing  on  the  left  of  the  diagram, 
we  have  that  either  2-y<5or2-y  +  l<5.  In  both  cases,  this  implies  y  <  2.5  <  3. 

It  is  also  straightforward  to  show  the  condition 

0j-  — »  at-t0  A  ai_mo  A  x  =  0  A  2  •  y  ■+  T(at-t0)  <  r(at_m0)  <  5, 

since  Qj  implies  at_t0  A  a<_m0  A  x  —  0  and  y  —  T (at~t0)  —  r(at_m0)  =  0. 

This  shows  that  the  diagram  is  invariance-sound  with  respect  to  y  <  3  and  establishes 
that  the  formula 

n(y  <  3) 

is  valid  over  program  ANY-Yr 
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A  Time  Dependent  Mutual  Exclusion  Algorithm 

As  a  final  example,  we  present  a  fragment  of  a  mutual  exclusion  algorithm,  due  to  M. 
Fischer,  which  functions  properly  only  due  to  the  timing  constraints  associated  with  the 
statements  in  the  language.  Similar  proofs  to  the  one  we  will  present  here  are  given  in 
[SBM92],  [AL92],  and  [MMP92], 

The  algorithm  is  presented  in  Fig.  12.  Each  of  the  processes  can  progress  to  its  second 
location  (t\  or  mv,  respectively)  only  when  2  =  0.  Then,  process  P,  sets  x  to  i  =  1,2.  It 
delays  for  one  instruction  time  at  the  next  statement  which  is  skip.  The  next  statement 
checks  whether  x  still  equals  i  and,  if  it  does,  the  process  proceeds  to  its  critical  section. 
Of  course,  in  some  executions,  Pj  may  set  2  to  1  at  statement  lx  but  find  its  value  to  be 
2  at  ts,  because  P2  has  set  x  to  2  between  the  execution  of  these  two  statements. 


x:  integer  where  x  =  0 


(0  :  await  x  =  0 

m0  :  await  x  =  0 

l\  :  x  :=  1 

rrii  :  x  2 

/2  :  skip 

1!  p= 

m2  :  skip 

:  await  x  -  1 

m3  :  await  x  —  2 

l4  :  critical 

m4  :  critical 

Figure  12:  Program  MUTEX:  Coordination  by  timing. 

The  main  verification  problem  associated  with  this  program  is  the  following. 

Claim  5  Assuming  all  transitions  in  program  MUTEXy  are  assigned  uniform  time  bounds 
L,  U ,  where  2  •  L  >  U ,  then  the  property  of  mutual  exclusion,  specifiable  as 

is  valid  for  MUTEXy. 

In  Fig.  13,  we  present  a  proof  diagram  for  this  property.  This  diagram  employs  an 
additional  convention  by  placing  a  tabular  grid  over  some  of  the  nodes.  The  interpretation 
of  the  grid  is  that  all  nodes  belonging  to  a  row  of  the  table  have  the  assertion  appearing 
on  the  left  of  that  row  as  a  common  additional  conjunct.  In  a  similar  way,  all  nodes 
appearing  in  a  column  of  the  table  share  as  a  common  conjunct  the  assertion  appearing 
at  the  top  (or  bottom)  of  that  column  For  example,  the  full  assertion  associated  with 
the  node  appearing  at  the  top  left  corner  of  the  diagram  is: 

2  =  1  A  ai_T4  A  T(x  0)  >  2  •  L  A  at_m0 
row’s  common  conjunct  column’s 

It  is  possible  to  check  that  the  diagram  is  invariance-valid  with  respect  to  the  assertion 
-'(at  In  A  af_m4).  All  assertions  are  preserved  by  the  progress  of  time.  For  the  initial 
assertion,  this  is  true  since  x  f  0  is  false  as  long  as  the  control  stays  at  £o,i,rn0.i  All 
other  assertions  refer  to  time  only  by  equalities  or  inequalities  that  either  contain  age 
expressions  that  grow  at  the  same  rate  on  both  sides  of  the  equality/inequality,  or  are 
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ai_m0 


at_m2  4 


Figure  13:  A  proof  diagram  for  program  MUTEXj. 

of  the  form  r(z  ^  0)  >  2  •  L,  in  which  the  left-hand  side  grows  with  time,  while  the 
right-hand  side  is  constant. 

The  diagram  identifies  four  transitions  as  impossible.  They  are  transition  f3  from  the 
two  nodes  satisfying  at_^3A(at_m,1  V  (af_m2  4 Ax  =  2))  and  transition  m3  from  the  nodes 
satisfying  at_m3  A  V  (at_£2..4  A  x  =  1)).  There  are  many  other  transitions  that 

are  impossible,  for  example  mo  from  a  node  satisfying  at_/3  A  at_m0,  which  is  impossible 
due  to  i  =  1.  The  reason  we  singled  out  these  four  is  that  they  form  the  most  direct 
threat  to  mutual  exclusion.  That  is,  if  they  were  possible  then  mutual  exclusion  could 
have  been  violated. 

Transitions  f3  from  an  (at_m2  4  A  z  =  2)-state  and  m3  from  an  (at  4  A  x  —  1  )-state 
are  impossible  because  they  are  disabled  on  these  states.  Taking  i3  from  an  at_Tnrstate 
or  m3  from  an  ai_tx- state  is  impossible  due  to  timing  considerations. 

do 


Consider,  for  example,  taking  transition  l3  from  a  state  (at  column  2  and  row  2  from 
the  top)  satisfying 

i  =  l  A  at-TUi  A  r(at_mi)  >  T(i  ^  0)  A  at-lj,  A  T(2  ^  0)  >  L  +  V(at_l3). 
Combining  the  two  inequalities,  such  states  also  satisfy 
T (at-rrii)  >  L  +  T(at^(3) 

Transition  t3  can  be  taken  only  when  r(oi_^3)  >  L  which  would  lead  to 
r(at_mi)  >  2  -L  >  U, 

which  violates  axiom  AGE-RANGE  for  transition  mi. 

The  considerations  leading  to  the  impossibility  of  taking  m3  from  an  at-ti -state  are 
similar.  We  conclude  that  the  diagram  is  valid  with  respect  to  ->(af_/4  A  at_m4)  and 
therefore 

□  ~i(at_/4  A  at_m4) 

is  valid  for  program  MUTEXj’. 

4  Hybrid  Systems 

The  last  model  presented  here  is  that  of  hybrid  systems.  Hybrid  systems  are  systems  that 
combine  discrete  and  continuous  components.  To  represent  the  continuous  components, 
the  hybrid  system  model  contains  activities  that  modify  their  variables  continuously  over 
intervals  of  positive  duration,  in  addition  to  the  familiar  transitions  that  change  the  values 
of  variables  in  zero  time,  representing  the  discrete  components.  The  model  presented  here 
was  first  introduced  in  [MMP92]. 

It  is  obvious  that  many  systems  that  interact  with  a  physical  environment,  such  as  a 
digital  module  controlling  a  process  or  a  manufacturing  plant,  a  digital-analog  guidance 
of  transport  systems,  or  a  control  of  a  robot,  can  benefit  from  the  more  detailed  modeling 
proposed  by  the  comprehensive  framework  of  the  hybrid  model. 

4.1  Computational  Model:  Phase  Transition  System 

A  phase  transition  system  (PTS)  $  =  {V,  0,  T,  A,  l,u,  T)  consists  of: 

•  V  —  {uj,  :  A  finite  set  of  state  variables.  The  set  V  —  Vj  U  Vc  is  partitioned 

into  Vj  the  set  of  discrete  variables  and  Vc  the  set  of  continuous  variables.  Contin¬ 
uous  variables  always  have  the  type  real  (or  type  complex).  The  discrete  variables 
can  be  of  any  type.  A  state  is  any  type  consistent  interpretation  of  V.  The  set  of 
all  states  is  denoted  by  S. 

•  0  :  The  initial  condition.  A  satisfiable  assertion  characterizing  the  initial  states. 

•  T  A  finite  set  of  transitions.  Each  transition  r  £  T  is  a  function 

r:E«  2E, 
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defined  by  a  transition  relation  pr{Vt  V').  A  transition  can  also  change  the  value  of 
a  continuous  variable. 

As  mentioned  earlier,  the  enabledness  of  a  transition  r  can  be  expressed  by  the 
formula 

En(r }:  (3V')pr(V,V'), 

which  is  true  in  s  iff  s  has  some  r-successor.  The  enabling  condition  of  a  transition 
r  can  always  be  written  as  6  A  it,  where  8  is  the  largest  subformula  that  does  not 
depend  on  continuous  variables.  We  call  k  the  continuous  part  of  the  enabling 
condition  and  denote  it  by  Fv.c(r). 

•  A  :  A  finite  set  of  activities.  Each  activity  a  6  A  is  a  conditional  differential 
equation  of  the  form: 

p  ->  x  =  e, 

where  p  is  a  predicate  over  V*  called  the  activation  condition  of  a.  x  G  Ve  is  a 
continuous  state  variable,  and  e  is  an  expression  over  V.  We  say  that  the  activity 
a  governs  variable  x.  Activity  a  is  said  to  be  active  in  state  s  if  its  activation 
condition  p  holds  on  s.  Otherwise,  a  is  sand  to  be  passive. 

It  is  required  that  the  activation  conditions  of  the  activities  that  govern  the  same 
variable  x  be  exhaustive  and  exclusive,  i.e..  exactly  one  of  them  holds  on  any  state. 

•  A  minimal  delay  iT  6  R+  for  every  transition  r£T. 

•  A  maximal  delay  uT  G  R°°  for  every  transition  r£f.  We  require  that  uT  >  lT  for 
all  r  G  T. 

•  A  set  of  important  events  X.  This  is  a  finite  set  of  assertions  that  includes  at  least 
the  assertions  £nc(r),  for  each  r  G  T.  These  are  assertions  such  that  changes 
in  their  truth  values  must  be  observable.  Usually,  X  includes,  in  addition  to  the 
assertions  {Enc(r)},  all  the  assertions  that  appear  in  specifications  of  the  system. 

For  simplicity,  we  require  that  transitions  whose  enabling  condition  depends  on  a  contin¬ 
uous  variable  be  immediate.  We  also  require  that  every  transition  is  self-disabling. 

As  in  the  real-time  case,  we  only  consider  progressive  systems,  i.e.,  systems  that  do 
not  admit  Zeno  sequences. 

Activity  Successors 

Consider  a  phase  transition  system  $,  and  Let  (si,tx)  and  be  two  situations 

of  with  ti  <  t2.  An  evolution  from  (si,^)  to  (s2,t2)  consists  of  a  set  of  functions 
F  ■  {/,(«)  I  x  6  Vc }  that  are  differentiable  in  the  interval  and  satisfy  the  following 

requirements: 

•  fx(tl)  —  a,[x]  and  fx(t 2)  =  52[x).  Thus,  the  values  of  jx{t)  at  the  boundaries  of  the 
interval  [tj,<2 j  agree  with  the  interpretation  of  x  by  st  and  s2,  respectively. 
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•  3i[y]  =  s2[j/]  for  every  y  £  Vj.  That  is,  states  sx  and  a2  agree  on  the  values  of  all 
discrete  variables. 

•  For  every  activity  p  — t  x  —  e  that  governs  x,  if  p  holds  at  jj,  then  /*  satisfies  the 
differential  equation 

Ut)  =  e(F) 

in  the  interval  [fi,t2],  where  the  expression  e(F )  is  obtained  from  e  by  replacing 
each  occurrence  of  a  variable  y  £  Vc  by  the  function  /y(£). 

•  For  every  assertion  ’f  £  T,  '-P(t)  has  a  uniform  truth  value  for  all  t  £  (tj,£2),  which 
equals  either  or  <p(t 2). 

The  last  requirement  ensures  that  the  truth  value  of  every  important  assertion  £  X  is 
uniform  throughout  the  interior  of  the  evolution  interval,  and  matches  its  value  at  one  of 
the  endpoits  of  the  interval.  In  particular,  it  disallows  a  change  in  the  truth  value  of 
in  an  internal  point.  It  also  guarantees  that  any  value  assumed  by  V3  at  internal  points 
is  also  represented  at  one  of  the  endpoints.  This  implies  that  y  cannot  be  true  at  both 
endpoints  but  false  in  the  middle,  nor  false  at  both  endpoints  but  true  in  the  middle. 

If  such  an  evolution  exists,  we  say  that  the  situation  (s2,t2)  is  an  activity  successor 
of  the  situation  (sx,tx).  Assuming  that  the  differential  equations  satisfy  some  reasonable 
healthiness  conditions,  such  as  the  Lipschitz  condition,  there  exists  at  most  one  evolution 
from  {si,tx)  to  (s2,t2).  In  fact,  the  functions  F  are  uniquely  determined  by  the  situation 

(ai> *i)- 

We  denote  by  /.((s5,ti))  the  set  of  all  activity  successors  of  [sx,t\). 

Consider,  for  example,  a  trivia!  phase  transition  system  with  a  single  (continuous) 
state  variable  x,  no  transitions,  a  single  activity  a  given  by  o  :  x  =  —  1,  and  an  empty 
I.  Then,  the  following  are  exmples  of  a  situation  and  its  activity  successor: 


sx  :  {x  :  0,  T 

1) 

£ 

-4(.So 

(x  :  1, 

T 

0)) 

s7  :  {x  :  -1  ,  T 

2) 

£ 

A(s  i 

(x  :  0  , 

T 

1)) 

s2  :  (x  :  -1 ,  T 

2) 

£ 

•A(so 

(x  :  1  , 

T 

0)) 

Sampling  Computations 

A  sampling  computation  of  a  phase  transition  system  $  :  (V,  ©,T ,  A,l,u,l)  is  an  infinite 
sequence  of  situations 

a  :  {s0,t0),  <3X ,  ti),  (s2,t2),  ... 

satisfying: 

•  Initiation:  s0  [=  0  and  to  =  0. 

•  Consecution:  For  each  j  =  0,  1, ..., 

-  Either  t:  —  tj¥ j  and  s-j^i  £  t(sj)  for  some  transition  r  £  T  —  transition  r  is 
taken  at  j ,  or 
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-  (3j+i,ti+i)  is  an  activity  successor  of  (sjAj)  (implying  tj  <  tj+ 1)  —  a  contin¬ 
uous  phase  takes  place  at  step  j. 

•  Lower  bound:  For  every  transition  r  £  T  and  position  j  >  0,  if  r  is  taken  at 

j,  there  exists  a  position  i,  i  <  j,  such  that  ti  +  lT  <  t3  and  r  is  enabled  on 

5«)  5t+l!  •  •  '  !  Sj- 

This  implies  that  r  must  be  continuously  enabled  for  at  least  lT  time  units  before  it 
can  be  taken. 

•  Upper  bound:  For  every  transition  r  6  7”  and  position  t  >  0,  if  r  is  enabled  at 
position  i,  there  exists  a  position  J,  *  <  j,  such  that  t{  +  ur  >  tj  and  r  is  disabled 
on  Sj. 

In  other  words,  r  cannot  be  continuously  enabled  for  more  than  uT  time  units 
without  being  taken. 

•  Time  Divergence:  As  i  increases,  ti  grows  beyond  any  bound. 


Example 

Consider  a  simple  phase  transition  system  <$i  given  by: 


State  Variables  V  =  Vc 
Initial  Condition  0 
Transitions  T 
Activities  A 
Bounds 

Important  events  I 


{*} 

i  =  l 

{r},  where  pr  :  (x  <  —1)  A  (x1  =  1) 
{a},  where  a  :  x  =  —  1 
lT  ■=  uT  =  0. 

{Enc(r)  :  x  <  —1} 


Fig.  14  depicts  the  full  behavior  of  system  as  a  function  from  T  £  R+  to  the  value  of 
x.  Note  that  this  is  not  really  a  function  because  at  T  =  2  (and  all  other  even  positive 
integers)  x  has  two  values:  —1  and  +1.  The  value  —1  is  attained  at  the  end  of  the 
continuous  phase,  while  +1  is  the  result  of  taking  transition  r  at  this  point. 

There  are  (uncountably)  many  sampling  computations  that  correspond  to  this  full 
behavior. 

For  example,  the  sampling  computation 


<ri  :  s0  :  (x  :  1  ,  T  :  0)  a,  :  (*  :  -1 ,  T  :  2)  — 
s2:(x:l,T  :2)  ^  s3  :  (*  :  - 1 ,  T  :  4>  - 


corresponds  to  sampling  the  full  behavior  as  shown  in  Fig.  15. 
A  more  frequent  sampling  leads  to  the  computation 

cr2  .  s0  :  (x  :  1 ,  T  :  0) 

s2  :  {x  :  - 1  ,  T  :  2)  ---> 

:  (x  :  0  ,  T  :  3} 


a 
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sx  :  {x  :  0,  T  :  1) 
53  :  (x  :  1  ,  T  :  2) 
.5S  :  (x  :  - 1  ,  T  :  4) 


Figure  16:  Sampling  computation  cr2. 

whose  sampling  points  are  shown  in  Fig.  16. 

In  comparison,  consider  phase  transition  system  $2  which  is  identical  to  in  all 
components,  except  for  1,  which  is  given  by 

Important  events  Z2  {x<-l,  x  =  0} 

Thus,  system  <J>2  considers  the  assertion  x  =  0  to  be  an  important  event  in  addition  to 
x  <  -1,  which  is  the  enabling  condition  of  transition  r.  The  situation  sequence  a2  is  a 
sampling  computation  of  $2  as  well.  However,  the  sequence  a\  is  not.  Informally,  this  is 
because  <Ti  fails  to  observe  the  (infinitely  many)  points  at  which  x  becomes  0.  Formally, 
Sj  :  (x  :  -1  ,  T  :  2)  is  no  longer  an  activity  successor  of  s0  :  (x  :  1  ,  T  :  0)  because  the 
evolution  from  s0  to  5i  did  not  respect  the  condition  that  important  assertions  do  not 
change  their  truth  value  in  the  middle  of  a  continuous  step. 

Super-Dense  Computations 

In  addition  to  sampling  computations,  [MMP92]  presents  another  class  of  computations, 
based  on  the  notion  of  hybrid  traces.  Sampling  computations,  similar  to  computations  of 
timed  transition  systems,  have  the  signature  NhExR+,  that  is,  each  natural  number 
j  =  0,1,...  is  mapped  to  a  pair  consisting  of  a  state  3j  and  a  real  time  stamp  i  e. ,  a 
situation 

In  contrast,  the  other  type  of  computations  presented  in  [MMP92],  to  which  we  refer 
here  as  super-dense  computations ,  have  the  signature  R+  x  N  ►— >  £,  that  is,  each  pair  (t.i), 
where  t  £  R  +  and  i  t  N,  is  mapped  to  a  state  s  £  E.  The  pair  (t,i)  identifies  a  time 
stamp  t  and  a  step  number  i.  The  step  numbers  correspond  to  the  transitions  that  are 
taken  at  time  instant  t 

For  example,  the  (single)  super-dense  computation  produced  by  phase  transition  sys- 
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tem  4>i  is  given  by  a  function  x(f,t)  from  Rt  x  N  to  R  defined  as 


1 

for 

t 

= 

0 

and 

l 

> 

0 

I  - 1 

for 

0 

< 

t 

< 

2 

and 

l 

> 

0 

-1 

for 

t 

- 

2 

and 

i 
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0 

1 

for 

t 

— 

2 

and 

i 

> 

1 

3  -  t 

for 

2 

< 

t 

< 

4 

and 

i 

> 

0 

-1 

for 

t 

- 

4 

and 

t 

-- 

0 

1 

for 

t 

4 

and 

X 

> 

1 

An  argument,  offered  in  [MMP92],  claims  that  the  super-dense  semantics  provides  a  more 
precise  representation  of  the  behavior  of  hybrid  systems  than  the  semantics  of  sampling 
computations.  The  main  criticism  of  sampling  computations  complains  that  some  im¬ 
portant  events  may  fail  to  be  observed,  such  as  the  event  of  x  becoming  0,  to  which 
computation  crl  is  oblivious. 

This  problem  of  undersampling  is  solved  here  by  the  introduction  of  the  impor¬ 
tant  event  component.  Consequently,  in  this  paper  we  continue  to  use  the  sampling- 
computation  semantics.  The  advantages  of  the  sampling  semantics  are  that  it  is  simpler 
than  the  super-dense  semantics  and  conforms  better  with  sequence  based  verification 
methods. 


4.2  System  Description  by  Hybrid  Statecharts 

Hybrid  systems  can  be  conveniently  described  by  an  extension  of  timed  statecharts  called 
hybrid  statecharts .  The  main  extension  is  that  states  may  be  labeled  by  (unconditional) 
differential  equations.  The  implication  is  that  the  activity  associated  with  the  differential 
equation  is  active  precisely  when  the  state  it  labels  is  active. 

We  i.Mustrate  this  form  of  description  by  the  example  of  Cat  and  Mouse  taken  from 
[MMP92].  At  time  T  =  0,  a  mouse  starts  running  from  a  certain  position  on  the  floor 
in  a  straight  line  towards  a  hole  in  the  wall,  which  is  at  a  distance  A'0  from  the  initial 
position.  The  mouse  runs  at  a  constant  velocity  vm.  After  a  delay  of  A  time  units,  a 
cat  is  released  at  the  same  initial  position  and  chases  the  mouse  at  velocity  vc  along  the 
same  path.  Will  the  cat  catch  the  mouse,  or  will  the  mouse  find  sanctuary  while  the  cat 
crashes  against  the  wall? 

The  statechart  in  Fig.  17  describes  the  possible  scenarios. 

The  specification  (and  underlying  phase  transition  system)  uses  the  continuous  state 
variables  xm  and  xc,  measuring  the  distance  of  the  mouse  and  the  cat,  respectively,  from 
the  wall.  It  refers  to  the  constants  A’o,vm,i>c,  and  A. 

A  behavior  of  the  system  starts  with  states  Cat. rest  and  Mouse. rest  active,  and  vari¬ 
ables  xm  and  xr  set  to  the  initial  value  A0  The  mouse  proceeds  immediately  to  the 
state  of  running,  in  which  its  variable  changes  continuously  according  to  the  equation 
xm  ~  -  vm.  The  cat  waits  for  a  delay  of  A  before  entering  its  running  state.  Then  there 
are  several  possible  scenarios.  If  the  event  Tm  -  D  Happens  first,  the  mouse  reaches  sane 
tuary  and  moves  to  state  safe ,  where  it  waits  for  the  cat  to  reach  the  wall  As  soon  as 
this  happens,  detectable  by  the  condition  xr  xm  0  becoming  true,  the  system  moves 
to  state  Mouse- Wins  The  other  possibility  is  that  the  event  xr  xn  "•  0  occurs  first  . 


Figure  17:  Specification  of  Cat  and  Mouse. 

which  means  that  the  cat  overtook  the  mouse  before  the  mouse  reached  sanctuary.  In  this 
case  they  both  stop  running  and  the  system  moves  to  state  Cat-  Wins.  The  compound 
conditions  xc  =  xm  =  0  and  xc  =  xm  >  0  stand  for  the  conjunctions  xc  =  xm  A  xm  ~  0 
and  xc  ~  xm  A  xm  >  0,  respectively. 

This  diagram  illustrates  the  typical  interleaving  between  continuous  activities  and 
discrete  state  changes,  which  in  this  example  only  involves  changes  of  control 

The  idea  of  using  statecharts  with  continuous  activities  associated  with  certain  states 
(usually  basic  ones)  was  already  suggested  in  jHar84).  According  to  this  suggestion, 
these  states  are  associated  with  activities  that  represent  physical  (and  therefore  possibly 
continuous)  operations  and  interactions  with  the  environment. 

The  Underlying  Phase  Transition  System 

Following  the  graphical  representation,  we  identify  the  phase  transition  system  underlying 
the  picture  of  Fig.  17 
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•  State  Variables:  Given  by  Vc  —  {zc,zm}  and  Vj  =  {*}.  Variable  ir  is  a  control 
variable  whose  value  is  a  set  of  basic  states  of  the  statechart. 

•  Initial  Condition:  Given  by 

*■  0:7 r  =  {Mouse. rest,  Cat. rest}  A  ze  =  zm  —  X0- 

•  Transitions:  Listed  together  with  the  transition  relations  associated  with  them. 

A 

M. rest-run  Mouse. rest  £  ir  A  ir'  —  ir  —  {Mouse. rest}  U  {Mouse. run} 

C  rest-run  Cat. rest  £  ir  A  ir’  —  ir  —  {Cat. rest}  U  {  Cat. run} 

M .run-safe  Mouse. run  £  ir  A  zm  =  0  A 

7r'  =  7r  —  {Mouse. run}  U  {Mouse. safe} 

M .win  ( Active  fl  ir)  *  4>  A  xc  =  *m  =  0  A  n’  —  {Mouse- Wins} 

C.win  ( Active  Hit)  <f>  A  xc  —  xm  >  0  A  7r'  =  { Cat-Wins } 

The  set  Active  stands  for  the  set  of  basic  states 

{Mouse. rest,  Mouse. run,  Mouse. safe,  Cat. rest,  Cat. run}. 

•  Activities :  Four  activities  represent  the  running  activities  of  the  two  participants. 
Their  equations  are  given  by: 


<c 

Mouse. run  £  ir 

— ► 

Mouse. run  ^  ir 

Xm~0 

ac‘n 

Cat.run  £  ir 

-> 

Xc  =  - Vc 

af 

Cat.run  £  ir 

-> 

o 

ri 

o 

■H 

•  Time  Bounds:  For  transition  C. rest-run,  they  are  [A,  A],  All  other  transitions  are 
immediate. 

•  Important  Events:  Given  by 

I-  {*m  —  0,  Xc  —  Xm  —  0,  Xc  Xm  ^  0} 

System  Description  by  Textual  Programs 

It  is  possible  to  extend  the  simple  programming  language  SPL  to  represent  timed  and 
hybrid  systems  as  well.  The  resulting  language  is  a  subset  of  the  language  Siatexl  intro¬ 
duced  in  |KP92b],  which  is  shown  there  to  have  expressive  power  equal  to  that  of  hybrid 
statecharts. 

We  extend  SPL  by  the  following  statements: 

•  skip 

This  statement  serves  as  a  filler.  It  does  nothing  and  terminates  in  a  single  execution 
step. 

•  idle 

Like  the  skip  statement,  this  statement  does  not  change  the  data  state  However, 
unlike  the  skip  statement,  the  idle  statement  never  terminates  The  only  way  to  get 
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out  of  an  idle  statement  is  by  preemption ,  which  is  another  important  construct  of  the 
extended  language  introduced  later. 

•  delay  [l,u] 

This  statement  delays  for  a  time  lying  between  l  and  u.  Its  semantics  is  given  by  a 
transition  with  time  bounds  {l,u}. 

•  Selection 

For  statements  S j  and  S2, 

5,U52 

is  a  selection  statement.  Its  intended  meaning  is  that,  as  a  first  step,  one  of  S\  and 
52,  which  is  currently  enabled,  is  selected  and  the  first  step  in  the  selected  statement  is 
executed.  Subsequent  steps  proceed  to  execute  the  rest  of  the  selected  substatement.  If 
both  Si  and  S2  are  enabled,  the  selection  is  non-deterministic.  If  both  Si  and  S2  are 
currently  disabled,  then  so  is  the  selection  statement. 

•  Cooperation 

For  Si  and  S2  statements, 

5,  j|5, 

is  a  cooperation  statement.  It  calls  for  parallel  execution  of  Si  and  S2  The  cooperation 
statement  terminates  when  both  Si  and  S2  have  terminated. 

•  Preemption 

For  statements  Si  and  S 2, 

Si  u  s2, 

is  a  preemption  statement.  Steps  in  the  execution  of  this  statement  a-e  either  steps  in  the 
execution  of  Si  taken  forever  or  till  Si  terminates,  or  zero  or  more  steps  in  the  execution  of 
Si  followed  by  steps  in  the  execution  of  S2.  Thus,  the  intended  meaning  of  the  preemption 
statement  is 

Execute  S 1  forever  or  until  it  terminates, 

or  execute  Si  until  a  first  step  of  S2  is  taken,  and  then  continue  to  execute  S2 

As  usual,  if  a  transition  r  in  S 2  has  been  continuously  enabled  for  uT  time  units,  then  r 
must  be  taken  and  execution  switches  to  S 2  before  time  can  progress. 

Consider,  for  example,  the  statement 

while  T  do 

delay  (3,  3j  U  await  y  >  2 

V  =  V  +  1 

Assuming  the  await  statement  to  be  immediate  (assigned  maximal  delay  0),  this  statement 
terminates  as  soon  as  y  grows  above  2,  even  though  the  while  statement,  when  standing 
alone,  does  not  terminate. 

•  Differential  Equations 

Differential  equations  are  also  acceptable  as  statements  of  the  extended  language  A 
differential  equation  statement  never  terminates,  and  the  only  way  to  get  out  of  it  is  by 
preemption,  using  the  U  construct.  Statements  consisting  of  differential  equations  are 
associated  with  activities,  in  contrast  to  all  other  statements  which  are  associated  with 
transitions.  Thus,  the  statement 

(  x  e 
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gives  rise  to  the  activity 

at  :  i  €  7r  — >  x  —  e. 

We  refer  to  this  activity  as  an  explicit  activity  since  it  corresponds  to  an  explicit  statement 
in  the  program. 

Besides  the  explicit  activities,  each  continuous  variable  x  £  Vc  also  has  an  implicit  de¬ 
fault  activity  acJ*  which  controls  its  continuous  change  when  none  of  the  explicit  activities 
governing  x  is  active.  If  lx, . . .  ,lm  are  ail  the  statements  giving  rise  to  explicit  activities 
for  x,  then  its  default  activity  is  given  by 

atff  '■  {fi,  •  ••  ,fm}  Hit  =  <f>  x  -  0. 


In  addition  to  these  new  statements,  we  assign  time  bounds  to  each  transition  in  the 
language. 

We  refer  the  reader  to  [KP92bj  for  a  sampling-computation  semantics  of  this  extension 
of  SPL. 

As  an  example,  consider  the  statement 


/ 

lo  :  while  T  do 

lx  :  delay  [3,3] 

U  m0  :  await  y  >  2 

V 

f-2  ■  y  :=  y  +  1 

1 

The  transition  relation  associated  with  mQ  is 

pm  o'-  mo  €  tt  A  y  >  2  A  tt'  =  it  -  {mo.fo.fi,^}  U  {k}. 

Thus,  on  executing  m0,  control  discards  any  locations  within  statement  1 0 . 

Cat  and  Mouse  in  Extended  SPL 

The  top  level  of  the  hybrid  SPL  specification  is 


ic,xm  :  real  where  xc  —  xm 

Spec  ::  T  await  xc  =  xm  >  0  ; 

[ Mouse  ||  Cat]  U  jj 

await  xe  -  xm  -  0 ; 

Mouse  and  Cat  are  processes  defined  as  follows: 


=  Ao 

Cat-  Wins  : 
Mouse-  Wins  : 


Mouse  :: 


u 

await  xm  —  0;  idle 


Cat  ::  |  delay|A,A];  xc  =  —ve  ] 

The  idle  statement  at  the  end  of  process  Mouse  corresponds  to  state  Mouse  .safe  in  the 
statechart 

7’he  transitions  associated  with  the  statements  of  this  extended  SPL  program  are  all 
immediate,  except  for  the  transition  associated  with  the  delay  statement,  which  is  assigned 
the  time  bounds  (A,  A!. 
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The  Sharpness  Condition 

Requiring  that  systems  be  progressive  still  does  not  guarantee  that  every  phase  transition 
system  has  a  computation.  Consider,  for  example,  a  system  described  by  the  statechart 
of  Fig.  18. 


Initially  x  =  0 


Figure  18:  A  system  with  no  computations. 

Any  possible  computation  must  start  at  the  initial  situation  s0  :  (ir  :  n 0,  x  :  0,  T  :  0). 
Unfortunately,  there  is  no  way  to  proceed  from  this  situation.  The  transition  from  n0  to 
«!  cannot  be  taken  since  x  is  not  positive.  Time  cannot  progress  by  even  a  small  amount 
e  >  0,  because  that  would  cause  the  transition  from  n0  to  nx  to  be  continuously  enabled 
for  e  time  units  which  is  higher  than  its  upper  bound  0.  It  follows  that  this  system  has 
no  computations. 

Obviously,  the  problem  can  be  traced  to  the  nature  of  the  condition  x  >  0  which,  when 
x  increases  continuously,  has  no  definite  point  in  time  at  which  the  condition  becomes 
true.  To  prevent  such  situations,  we  define  a  subset  of  formulas  to  which  we  refer  as  sharp 
formulas  and  which  always  have  definite  points  at  which  they  become  true.  A  formula  p 
is  defined  to  be  sharp  if: 

•  p  depends  only  on  discrete  variables,  or 

•  p  has  the  form  ti  <  t2  for  some  terms  tx  and  t2,  or 

•  p  has  the  form  q  A  r  or  q  V  r  for  some  sharp  formulas  q  and  r 

A  phase  transition  system  is  called  sharp  if  each  immediate  transition  r  is  a  member 
of  a  set  of  immediate  transitions  {tj,  .  .  .  ,  r*}  (possibly  consisting  of  rx  alone)  such  that 
the  disjunction 

Eti(ti)  V  •  -  •  V  En(rk ) 

is  equivalent  to  a  sharp  formula.  This  ensures  that  when  r  becomes  enabled  as  a  result 
of  a  continuous  evolution,  then  the  disjunction  En(ri)  V  ■  •  •  V  En(ri t)  which  is  sharp  also 
becomes  true.  It  follows  that  there  is  a  first  moment  at  which  the  disjunction  becomes 
true  and  one  of  the  transitions  in  the  set  {rj, .  .  .  ,  r^}  can  be  immediately  taken. 

Obviously,  the  system  of  Fig.  18  is  not  sharp  and  this  explains  the  problems  associated 
with  it.  On  the  other  hand,  consider  the  Cat  and  Mouse  system  of  Fig  17.  The  enabling 
condition  of  transition  C  win  is  (Active  D  7r)  f  <j>  A  xc  =  xm  A  xm  >0.  which  is  not 
a  sharp  formula  However,  when  we  consider  the  larger  set  of  immediate  transitions 
{  C.  win,  M .win},  the  disjunction  of  the  enabling  conditions  of  its  members  we  obtain 

( Active  H  7r )  f  <f>  A  t,c  —  xm  A  xm  >  0, 


which  is  a  sharp  formula.  Consequently,  the  Cat  and  Mouse  system  is  sharp. 

From  now  on,  we  will  only  consider  sharp  phase  transition  systems. 

4.3  Requirement  Specification  Languages 

At  present,  no  special  extensions  to  the  requirement  specification  languages  have  been 
identified  for  hybrid  systems.  As  in  the  case  of  the  real-time  model,  we  use  either  MTL  or 
TLr  for  specifying  properties  of  hybrid  systems. 

For  example,  to  specify  that  the  mouse  will  always  escape  the  cat,  for  the  system  of 
Fig.  17,  we  can  write  the  invariance  formula 

□  (Cat. run  A  (xe  =  xm)  xm  -  0), 

where  we  use  names  of  states  in  a  statechart  as  control  predicates.  Of  course,  such  a 
property  will  not  be  valid  over  all  computations  of  the  cat  and  mouse  system,  unless 
some  relation  is  established  among  the  problem  parameters  Xo,  A,  uc,  and  vm.  Indeed,  a 
sufficient  condition  for  this  property  to  be  valid  is: 

Xo  .  X0 

—  <  A  +  — . 

Vm  Vc 

4.4  Verification  of  Age  Formulas 

Here  we  only  consider  verification  of  TLp  formulas  over  hybrid  systems.  The  age  axioms 
and  rule  T-INIT,  presented  for  the  real-time  model,  hold  here  as  well.  The  major  difference 
is  in  the  verification  conditions. 

Verification  Conditions  for  Hybrid  Systems 

The  verification  condition  {p}T{q}T  remains  unchanged.  However,  instead  of  using  the 
verification  condition  {p}  tick  {q},  we  define  a  new  condition 

{p}  cont  {q} 

which  is  intended  to  ensure  that  every  continuous  phase  leads  from  a  p-situation  to  a 
q-situation. 

To  formulate  the  verification  condition  over  continuous  steps,  we  consider  an  evolution 
from  a  situation  that  can  be  described  as  (V,T)  to  the  situation  ( V',T‘ ),  assuming  that 
T  >T. 

An  activity  selection  is  a  mapping  g  :  Vc  *-*  A,  assigning  to  each  continuous  variable 
x  6  Vc  an  activity  g(x)  in  its  governing  set.  Assume  that  the  activity  selected  by  g  for 
each  continuous  state  variable  x  €  Ve  is 

i  -  e9. 

Let  F3  -  {f9(t)}  be  a  set  of  functions,  one  for  each  continuous  variable  x  £  l0  such  that 
•  /*(T)  =  i,  for  every  x  6  V . 
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•  The  equation 

±M«)  =  e«(F*) 

is  satisfied  in  the  range  t  6  [T,  71'],  where  e9(Fg)  is  obtained  from  e®  by  replacing 
each  occurrence  of  y  £  Ve  by  f9(t). 

We  assume  that  we  know  how  to  express  the  functions  /*  in  a  closed  form,  referring  to 
x,  T,  and  t.  For  example,  if  g  selects  for  x  €  Vc  the  activity  x  —  2,  then  /|(t)  is  given  by 

/,*(<)  =  i  +  2-(i-r). 

The  Condition 

With  each  possible  activity  selection  function  g,  we  associate  a  verification  condition 
{p}  g  {q},  which  is  given  by 

P9cont  A  p  -*  q\ 
where  the  relation  p9conl  stands  for 

A  *'  =  *  a  a  PAT')  =  *'  a  A  PI  a  r  >  t  a  a  (r'(£^))  <  «r)  a 

!6V£  t€T 

/  (vt  :  (T  <  i  <  T')  :  ^(t))  A  r#(¥>)  =  r(V»)  +  T'-T 

V 

A  (vt  :  (r  <  t  <  V)  :  A  -v  A  r(v>)  =  0 

VeJ  v 

y,  (vt  :{T<t<  V)  :  -^s(e))  A  V  A  P(^)  =  0 

The  first  conjunct  of  the  formula  states  that  all  discrete  variables  are  not  changed  in  a 
continuous  step.  The  next  conjunct  states  that  the  value  of  f9{T')  agrees  with  x' .  The 
third  conjunct  requires  that  the  activation  condition  p®  holds  at  the  pre-state  V .  The 
fourth  conjunct  requires  that  time  progresses  by  a  positive  amount.  The  last  conjunct 
in  the  first  line  ensures  that  the  progress  of  time  cannot  cause  any  transition  to  remain 
continuously  enabled  longer  than  is  allowed  by  its  upper  bound  uT. 

The  next  line  requires  that  every  important  assertion  is  either  true  throughout  the  full 
evolution  interval,  or  is  false  throughout  the  full  evolution  interval,  except  possibly  at  one 
of  its  boundaries.  The  formula  <PS(<)  is  obtained  from  ‘P  by  replacing  each  occurrence  of 

y  e  K  by  /»(*)■ 

This  line  also  defines  the  value  of  r'(r)  after  a  continuous  phase  takes  place.  In  order 
to  ensure  that  this  definition  actually  measures  the  age  of  an  assertion,  we  restrict  the 
use  of  the  expression  T(r)  to  assertions  r  that  appear  in  the  important  event  set  J. 

In  comparison,  When  a  transition  is  taken,  the  value  of  T'(r)  is  determined  bv  the 
following  axiom: 

T'(r)  =  if  r'  then  F(r)  else  0. 

Consider,  for  example,  the  condition  {  — 1  <  x  <  l}q{-l  <  x  <  1}  for  system 
•tv  Since  there  is  only  one  activity,  there  is  only  one  activity  selection  g ,  i.e  .  the  one 
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that  selects  this  activity.  The  evolution  function  /*  is  given  by  f‘{t)  =  x  -  (t  -  T) 
Consequently,  the  verification  condition  is  given  (after  some  simplifications)  by: 


7T'  =  7T  A  I '  =X-(T'-T)  A  T  >  T 

a  r'(i  <  -l)  <  o 

(Vf  :(T  <t  <T‘)  :x-{t~T)<  -1)  \ 

a  r(®<-i)  =  r(i<-i)  +  r-T 

V 

(Vf  :  (T  <  f  <  T')  :  x  ~  (t  —  T)  <  — 1) 

A  x'  >  -1  A  r'(x  <  -1)  =0 

V 

(Vf  :  (T  <  t  <  T')  :  x  —  (f  —  T)  >  -1) 

^  A  (a;  >  —  1  V  x'  >  —1)  A  r'(x  <  -1)  =  0  j 


A  -1  <  x  <  1 

p 


-1  <  i'  <  1 
v  .  "  1 

<7 


First,  we  show  that  each  of  the  three  possibilities  allowed  by  the  last  conjunct  of  the 
formula  implies  x'  >  —1. 


•  The  case  (Vf  :  (T  <  f  <  T')  :  i  — (f  —  T)  <  —1)  is  impossible  since,  as  T(x  <  -1)  >  0 
and  T'  >  T,  this  leads  to  F'(x  <  —  1)  >  0  which  violates  the  conjunct  in  the  second 
line  of  the  formula. 


•  The  case  (Vf  :  (T  <  t  <  T')  :  x  —  (f  —  T)  <  —1)  explicitly  requires  x‘  >  —1. 

•  The  case  (Vf  :  (T  <  t  <  T')  :  x-(t  —  T )  >  —  1)  implies  that  x-(f-T)  >  - 1  holds  for 

all  t  E  ( T,T '}.  It  follows  that,  in  the  limit  of  t  approaching  T',  x'  —  x-(T'— T)  >  —  1. 

For  the  other  inequality,  from  T'  >  T  it  follows  that  x'  =  x  —  (T1  —  T)  <  x  <  1  and 

therefore  x'  ''  1. 


Finally,  we  define  the  verification  condition  over  a  continuous  step  to  be 
{p}cont{q}:  f\{p}g{q}, 

9 

where  the  conjunction  of  the  individual  conditions  {p}  g  {q}  is  taken  over  all  possible 
activity  selection  functions  g. 


Rules  for  Waiting-For  and  Invariance  Formulas 

Having  defined  the  two  verification  conditions,  we  can  immediately  formulate  two  rules 
for  proving  waiting-for  and  invariance  formulas  over  hybrid  systems. 

H-INV  11.  @r  -»  p 

12.  MTM,  | 

13  {<f}  coni  {<e}  1 

n1^  i 


H-WAIT  VV1. 

P 

q  V  <p 

W2. 

M 

T 

{qVp}T 

W3 

cant 

(qV¥>} 

p 

=*- 

<P  W  q 
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We  will  illustrate  the  use  of  these  rules  on  several  examples. 

For  the  most  trivial  example,  consider  system  #j.  We  will  prove  that  the  invariant 
□(  — 1  <  x  <  1)  is  valid  over  ail  sampling  computations  of  this  system.  We  use  rule  H-INV 
with  P  :  —  1  <  x  <  1. 

Premise  II  assumes  the  form 

x  =  l  A  T  —  0  — ♦  —  1  <  x  <  i, 

0  7  p 

which  is  obviously  valid. 

Premise  12  assumes  the  form 

•  •  •  A  [x  =  1)  A  *  •  •  A  •••  —  -\<x<\ 

v - : — w — : - <  ' - - - ' 

K  *  <P‘ 

which  is  also  obviously  valid. 

Premise  13  requires  showing  that  —  1  <  x  <  1  is  preserved  under  a  continuous  step. 
However,  this  has  been  verified  above. 

Proof  of  a  Hybrid  Version  of  Program  ANY-Y 

In  Fig.  19,  we  present  an  extended  SPL  program  ANY-Y #  that  can  be  viewed  as  a  hybrid 
version  of  program  ANY-Y. 


; y :  integer  where  y  -  0  ! 

x:  real  where  x  =  0 

i|  [m0  :  x  —  0.2]  U  [mi  :  await  x  >  1]  ] 

II  m2  :  i 

I 

I 

~  Pi  ~ _ ~  P»  ~ _ | 

Figure  19:  Program  ANY-Y#:  A  hybrid  textual  program. 

In  this  program,  process  P2  represents  a  continuous  component  that  lets  x  grow  linearly 
from  0  until  it  reaches  a  value  x  >  1.  At  that  point,  statement  mj  intervenes  and  shuts 
off  the  continuous  process.  Process  Pi  is  very  similar  to  process  Pi  in  program  ANY-Y  It 
loops,  incrementing  y,  as  long  as  x  <  1.  Once  process  Pi  detects  that  x  >  1,  it  terminates. 
Note  that  x  never  exceeds  1,  so  that  all  references  to  x  >  1  can  be  replaced  by  x  =  1. 

The  time  bounds  associated  with  this  program  identify  transition  m-i  as  immediate 
(i.e.,  time  bounds  [0,0]),  and  assign  uniform  time  bounds  [1,5]  to  all  other  transitions. 

To  fully  comprehend  the  behavior  of  this  program,  we  present  two  possible  com¬ 
putations  of  ANY-Y#.  The  first  computation  attempts  to  maximize  the  value  of  y  on 


to  .  while  x  <  1  do 

[*i  :  V  ■=  V  +  l] 

t-2  ■ 


termination. 


(t r  :  {4,m0)mi}  ,  x  :  0.0 ,  y  :  0 ,  T  :  0)  ^  (tt  :  {4,7710,77*!}  ,  x  :  0.2  ,  y  :  0  ,  T  :  1) 

(tt  :  {4,77*0,  77*!},  x  :  0.2,  y  :0,  T  :  1)  ^  (tt  :  {4 , 77*0, 77*i}  ,  x  :  0.4  ,  y  :  0  ,  T  :  2)  -X 
(tt  :  {4,77*0,77*1}  ,  x  :  0.4,  y  :  1 ,  T  :  2)  ^  (tt  :  {4,7n0,77*!}  ,  x  :  0.6  ,  y  :  1 ,  T  :  3) 

(tt  :  {4,77*0,77*1}  ,  x  :  0.6,  y  :  1 ,  T  :  3)  ^  (tt  :  {4, 77*0,77*1}  ,  a:  :  0.8  ,  y  :  1  ,  T  :  4) 

{n  :  {4,77*0,77*,}  ,  x  :  0.8,  y  :  2,  71  :  4)  ^  (tt  :  {4, 77*0, 77*1}  ,  x  :  1.0,  y  :  2,  T  :  5} 

(it:  {4,77*2}  ,z:1.0,s:2,T  :5)  (tt  :  {4,77*2}  ,  1  :  1.0  ,  y  :  2  ,  T  :  5)  — 

(tt:  {4,77*2}  ,  x  :  1.0,  y  :  2,  T  :  6)  ^  ••• 

The  second  computation  attempts  to  minimize  the  value  of  y  on  termination. 

(77  :  {4,77*o,77*i}  ,  x  :  0.0  ,  y  :  0  ,  T  :  0}  (7r  :  {4,  T7i0,  tt*,}  ,  x  :  1.0  ,  y  :  0  ,  T  :  5)  — -U 

(77:  {4,77*2}  ,  x  :  1.0,  y  :  0,  T  :  5)  <77  :  {4,7t*2}  ,  1  :  1 .0  ,  y  :  0  ,  T  :  5}  ^ 

(tt:  {4,77*2}  ,  x  :  1.0,  y  :  0,  T  :  6)  ^  ■■■ 

We  will  now  prove  that  program  ANY-Y//  also  terminates  within  15  time  units.  Using 
rule  T-INIT,  it  is  sufficient  to  prove 

©T  =^-  (T  <  15)  W  (at_4  A  at_77*2). 

The  proof  uses  rule  H-WAIT  and  monotonicity.  The  main  constituents  of  the  proof  are 
presented  in  Fig.  20.  It  is  not  difficult  to  check  that  this  diagram  is  valid  with  respect  to 


Figure  20:  A  hybrid  waiting-for  proof  diagram. 

07%  T  <  15.  and  a<_4  A  at_m2.  The  only  new  element  is  checking  that  assertion  0  is 
preserved  under  a  continuous  step  The  activity  set  for  this  program  consists  of  the  two 
activities: 

:  at^mo  — *  x  —  0.2 

a2  :  'at  .77*0  1  —  0. 
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The  only  activity  selection  function  g  relevant  for  states  satisfying  <p0  is  the  one  that 
picks  c*!  for  x,  i.e.,  g(x)  =  ai.  For  this  choice  of  g,  the  evolution  of  z  is  given  by 
flit)  =  x  +  0.2  •  ( t  -  T).  Consequently,  the  appropriate  verification  condition  (after  some 
simplifications)  is 

IT '  =  *  A  x'  =  X  +  0.2  •  (T  -  T)  A  V  >  T  A 
A  (Vt:T<t<V  :  1  +  0.2-  (t  -  T)  <  1) 

A  A  af_mo  A  at.  mi  A  0  <  i  =  0.2  •  T  <  1  A  T  <  5 

S— -  -  —  -  -  -  v  -  — 

V?0 


•••  V  (at_/o.i)'  A  (at. mo)'  A  (at.mx)'  A  0  <  r'  -  0.2  ■  T'  <  1  A  T'  <  5 


It  is  not  difficult  to  see  that  this  implication  is  valid: 

•  (af_f0,iy  A  (at_mo)'  A  (at. mi)'  follows  from  it'  =  7r. 

•  i'  =  0.2  •  T'  follows  from  x‘  —  x  +  0.2  •  (T‘  -  T )  and  x  =  0.2  •  T. 

•  0  <  x'  follows  from  0  <  T  <  T'  and  x'  =  0.2  •  T'. 

•  Taking  the  limit  over  (Vt  :  T  <  t  <  T'  :  x  +  0.2  •  (t  -  T)  <  1)  as  t  tends  to  T‘,  yields 
x'  =  x  +  0.2.(T'-T)  <  1. 

•  T'  <  5  follows  from  0.2  T'  <  1. 

This  estabhshes  that  program  ANY-Y a  terminates  within  15  time  units. 


Verifying  a  Property  of  the  Cat  and  Mouse  System 
Consider  the  property  that,  under  the  assumption 

*  <  ^  (» 

I'm  Vc 

all  computations  of  the  Cat  and  Mouse  system  satisfy 
□(  Cat  . run  A  (xc  =  xm)  -»  ira  =  0). 

In  Fig.  21,  we  present  a  proof  diagram  of  this  invariance  property.  In  this  diagram  we 
use  control  assertions  denoting  that  certain  basic  states  are  contained  in  7r.  For  example, 

C.run  stands  for  Cat. run  6  7r.  We  also  use  tm  for  the  time  it  takes  the  mouse  to  run  ■» 

the  distance  V0. 

It  is  not  difficult  to  verify  that  the  diagram  is  invariance-sound,  including  the  preserva¬ 
tion  of  all  assertions  under  a  continuous  step.  The  only  part  that  requires  more  attention  t 

is  showing  that  the  conjunct 

-V0  -  vf  (T  ~  A)  >  xm  —  A'o  -  vm  -  T 
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f0  :  M  rest  A  C.rest  A  xc  =  xm  —  Xo 


M.  rest-run 


/  M .run  A  C.rest  A  0  <  r(C.rest)  =  T  <  A 
Pi  :  I  A 

V  ic  =  Xo  a  =  Xo  ~  Vm  -T 


C  .rest-run 


M .run  A  C.run  A  A  <  T  <  tm 


xc  -  Xq  -  vc  ■  (T  ~  A)  >  xm  =  X0  -  vm  •  T 


M  .run-s  a: 


V5 3  :  ( M  safe  V  M .wins)  A  xm  =  0 


Figure  21:  A  hybrid  invariance  proof  diagram. 

is  maintained  as  long  as  x m  is  nonnegative,  which  implies  T  <  tm.  To  show  this,  it  is 
sufficient  to  show  vc  ■  (T  —  A)  <  vm-T  which  is  equivalent  to 

-  >  l-£  (2) 

vc  T 

From  inequality  (1),  we  can  obtain 

-  i  A 

—  >  i  -  a  •  — - 


which,  using  the  definition  of  t.m  —  — ,  gives 


Since  T  <  t the  right-hand  side  of  (3)  is  not  smaller  than  1  —  —  establishing  (2). 

It  remains  to  show  that 

M .rest  A  C .rest  A  xe  ~  xm  =  Xq  — *  M .rest  A  C  rest  A  xc  =  xm  ~  Xq  (4) 

' - v - -  ' - - - "  't 

&T  fo 

<Po  V  •  ■  •  V  <^3  -»  (C.run  A  xc  =  xm  xm  =  0).  (5) 

A 

Impbcation  (4)  is  obviously  valid.  To  check  implication  (5),  we  observe  that  both  V^o  and 
V3!  imply  -'C.run,  Vi  implies  xc  >  xm,  and  implies  xm  =  0. 

This  shows  that  under  the  assumption  (1),  property 

□(Cat. run  A  (ic  =  xm)  -*  xm  =  0) 

is  valid  for  the  Cat  and  Mouse  system. 

4.5  The  Gas  Burner  Example 

We  conclude  with  an  example  of  a  Gas  Burner  System,  presented  in  [CHR92J.  Consider 
the  timed  statechart  presented  in  Fig.  22.  This  statechart  represents  a  Gas  Burner  system 


Initially  Leah  =  F 


so  : 


Leak  :=  F 


Leak 


s 2 


[30,  ooj 


-'Leak 


Figure  22:  GAS-BURNER:  A  gas  burner  system. 

that  has  three  states:  So,  Si,  and  sj.  There  is  a  boolean  state  variable  Leak  whose  value 
represents  whether  the  system  is  currently  leaking.  For  clarity,  we  have  labeled  each  state  A 

with  the  value  of  Leak  at  the  states.  However,  this  labeling  has  no  semantic  meaning 
The  verification  problem  posed  in  (CHR92)  can  be  formulated  as  follows. 

Assuming  / 

1.  A  continuous  leaking  period  cannot  extend  beyond  1  time  unit. 

2.  Two  disjoint  leaking  periods  are  separated  by  a  non-leaking  period  extending  for  at 
least  30  time  units. 


65 


Prove: 


•  Safety-Critical  Requirement:  In  any  interval  longer  than  60,  the  accumulated  leak¬ 
ing  time  is  at  most  5%  of  the  interval  length. 

Obviously,  the  timed  statechart  of  Fig.  22  satisfies  assumptions  1  and  2  The  only  leaking 
state  is  Si  and  it  is  clear  that  the  system  cannot  stay  continuously  in  for  more  than  1 
time  unit  and  that,  between  two  consecutive  (but  disjoint)  visits  to  si,  the  system  stays 
at  the  non-leaking  state  s2  for  at  least  30  time  units. 

However,  the  property  to  be  proved  uses  the  notion  of  accumulated  time  in  which  some 
assertion,  such  as  Leak ,  holds.  This  cannot  be  expressed  directly  in  TLr  The  calculus 
of  durations,  introduced  in  [CHR92],  has  a  special  duration  operator  Jp  that  measures 
the  accumulated  time  p  holds.  Later,  we  will  briefly  consider  an  extension  of  TLr  which 
adopts  the  duration  operator  [KP92a]. 

To  handle  this  problem  without  extending  the  logic,  we  represent  the  Gas  Burner 
system  as  a  hybrid  system,  using  auxiliary  variables  that  measure  the  total  time  of  an 
interval  and  the  accumulated  time  in  which  variable  Leak  has  been  true.  For  simplicity,  we 
first  consider  the  safety-critical  requirement  only  for  initial  intervals,  i.e.,  intervals  starting 
at  T  =  0.  The  extension  of  the  method  to  arbitrary  intervals  is  then  straightforward  and 
will  be  discussed  later. 

Consider  the  hybrid  statechart  of  Fig.  23.  The  system  presented  there  employs  three 
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Figure  23:  H-GAS:  The  gas  burner  as  a  hybrid  system, 
auxiliary  continuous  variables  as  follows: 

•  Variable  x  measures  the  duration  of  time  in  each  of  the  states  s0,  ,stl  and  It  is 
reset  to  0  on  entry  to  each  of  these  states 

•  Variable  y  measures  the  accumulated  leaking  time  It  grows  linearly  in  state  s?,  and 
stays  constant  in  any  of  the  other  states 

•  Variable  z  measures  the  total  elapsed  time 
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With  these  variables,  we  can  write  the  requirement  that  the  accumulated  leak  time  does 
not  exceed  5%  of  the  elapsed  time  as  y  <  0.05  •  z  or,  equivalently,  as  20  •  y  <  z 

Consequently,  to  verify  that  the  original  timed  system  of  Fig.  22  maintains  the  safety- 
critical  requirement  for  initial  intervals,  it  is  sufficient  to  prove  that  all  computations  of 
the  hybrid  system  of  Fig.  23  satisfy  the  invariance  property 


l(e  >60  ->  20  •  y  <  2). 


This  is  the  first  example  in  which  the  invention  of  the  necessary  auxiliary  invariants  is  not 
immediately  obvious.  Therefore,  we  will  spend  some  time  on  their  derivation.  We  try  to 
find  a  relation  that  continuously  holds  between  y  and  z  and  that  implies  the  requirement 


z  >  60 


20  •  y  <  2. 


Consider  a  finite  prefix  of  a  computation.  Let  uj  denote  the  number  of  times  the 
leaking  state  s,  is  visited  in  this  prefix.  Since  on  each  visit  variable  y  grows  by  at  most  1 
time  unit,  we  have 

y  <  vi 

at  the  end  of  the  prefix.  On  the  same  prefix,  variable  z  can  be  bounded  from  below  by  the 
sum  of  the  accumulated  time  spent  at  and  the  accumulated  time  spent  at  s2,  ignoring 
the  time  spent  at  j0  which  can  be  arbitrarily  short.  The  accumulated  time  spent  at  s  1 
equals  y.  Since  between  two  consecutive  visits  to  the  computation  visits  s2,  the  number 
of  visits  to  32  is  at  least  i>i  —  1,  and  each  of  these  visits  lasts  at  least  30  time  units.  We 
thus  obtain 

z  >  30  ■(«!  -  1)  +y  >  31  y  -  30, 

where  the  last  inequality  is  obtained  by  replacing  fj  by  the  smaller  or  equal  value  y  This 
leads  to: 

z  >  31  •  y  -  30.  (7) 

We  will  show  that  this  relation  implies  requirement  (6),  that  is 
z  >  31  •  y  -  30  — *  (z  >  60  — >  20  ■  y  <  z), 
or,  equivalently, 


z>31-y-30Az>60  — - »  20  •  y  <  z. 

By  2  >  60,  which  can  be  written  as  30  <  -  z,  we  can  replace  the  value  30  in  z 
by  the  bigger  or  equal  value  \  ■  z  and  obtain 


31  y  -30 


'■ading  to 


31  •  y , 
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Figure  24:  An  invariance  proof  diagram  for  the  gas  burner. 

We  therefore  start  with  the  assumption  that  the  inequality  z  >  31  •  y  —  30  holds  at 
all  states  in  the  computation.  Working  backwards,  we  can  identify  what  versions  of  this 
invariant  should  hold  on  every  visit  to  each  of  the  states  So,  3j,  and  s2-  This  leads  to 
the  proof  diagram  presented  in  Fig.  24.  Transitions  in  this  diagram  are  identified  by  the 
names  of  the  states  in  system  H-GAS  from  which  they  exit.  To  facilitate  the  reading  of 
the  diagram,  edges  entering  a  node  are  annotated  by  an  assertion  that  holds  whenever 
this  node  is  entered.  Thus,  it  can  be  shown  that  z  >  31  -  y  (which  is  the  same  as 
(z  -  x)  >  31  •  (y  —  x)  since  x  —  0  on  entry)  holds  on  entering  node  n!  from  either  n0  or  n2 
Since  z,  y,  and  z  all  grow  at  the  same  linear  rate  within  state  (corresponding  to  node 
7ij ),  the  differences  z  —  z  and  y  —  x  maintain  the  values  they  had  on  entry.  This  explains 
why  (z  -  x)  >  31  (y  -  x)  is  maintained  within  rii .  On  exit  from  n,  to  n2,  x  <  1,  therefore. 
(z  -  x)  >  31  •  [y  -  x)  implies  z  >  31  •  y  —  30  ■  x  >31  •  y  -  30  on  entry  to  n2.  Since,  within 
n2  both  x  and  z  grow  at  the  same  rate,  while  y  remains  the  same,  (z  -  z)  >  31  •  y  -  30  is 
maintained. 

It  is  not  difficult  to  see  that  the  initial  condition  implies  and  that  each  of  -^o-  ■ei- 
or  2 ,  implies  z  >  31  ■  y  -  30  Consequently,  z  >  31  •  y  -  30  holds  over  all  computations, 
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establishing  the  validity  of 

□  ^z>  60  — >  20*y<z). 

To  generalize  this  analysis  to  arbitrary  (not  necessarily  initial)  intervals,  we  can  add  a 
transition  that  nondeterministically  resets  the  values  of  y  and  z  to  0.  This  will  start 
the  measurements  corresponding  to  an  interval  at  an  arbitrary  point  in  time  In  fact, 
the  proof  diagram  of  Fig.  24  is  also  valid  for  this  system.  It  can  be  checked  that  all  the 
assertions  in  this  diagram  are  preserved  under  simultaneous  reset  of  y  and  z  to  0.  To 
ensure  that  this  new  transition  is  self-disabling,  we  make  it  enabled  only  when  y  >  0. 

Proof  by  an  Extended  Version  of  TLr 

The  previous  proof  transformed  the  Gas  Burner  problem  into  a  hybrid  system  and  verified 
the  required  property  in  the  hybrid  model.  We  will  now  consider  an  alternative  approach, 
which  does  not  modify  the  given  system  but  uses  a  stronger  logic.  Since  the  original  Gas 
Burner  system  as  presented  in  Fig.  22  is  a  TTS  rather  than  a  hybrid  system,  we  return 
to  the  framework  of  timed  transition  systems. 

As  is  shown  in  [KP92a],  it  is  possible  to  extend  TLr  further  by  adding  the  duration 
function  Jp,  which  measures  the  accumulated  time  in  which  p  has  been  true  up  to  the 
present.  We  denote  the  extended  logic  by  TLrj. 

Very  few  extensions  are  needed  as  a  result  of  this  addition.  The  first  extension  is  axiom 
DURATION-RANGE,  which  bounds  the  range  of  the  duration  function  and  also  relates  it 
to  the  age  function. 

DURATION-RANGE  :  0  <  r(V')  <  Jip  <  T  for  every  formula  ip 

Since  duration  expressions  can  appear  in  assertions,  it  is  also  necessary  to  define  the 
primed  version  of  a  duration  expression  Jr,  denoted  (Jr)*  for  some  assertion  r.  This  is 
given  by 

( Jr)1  =  if  r  then  Jr  +  T'  ~  T  else  J r. 

This  definition  states  that,  if  r  holds  at  s,  then  the  value  of  Jr  at  ( s',t ')  is  its  value  at 
( $,t )  plus  the  time  difference  t'  ~  t.  Otherwise,  it  retains  the  same  value  it  has  at  (s,t). 
Since  we  are  back  in  the  timed  transition  system  model,  it  is  sufficient  to  check  the  value 
of  r  at  (s,t). 

Using  the  logic  TLrj,  we  can  express  the  safety-critical  requirement  of  system  GAS- 
BURNER  of  Fig.  22  by  the  formula 

□  (T  >  60  20  -  J  Leak  <  T) 

We  can  prove  this  property  using  rule  T-INV  and  monotonicity.  The  auxiliary  invariant 
assertion  used  is  inspired  by  the  proof  diagram  of  Fig.  24  and  is  given  by 

at  _  so  A  / Leak  =  0 

V 

at.,?,  A  ( T  -  F(at  s,))  >  31  ■  (J  Leak  -  r(at..s,)) 

V 

ttl  .j,  A  (T  ['(at-.sj))  >  31  -  J  Leak  30. 
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This  proof  can  also  be  presented  as  a  proof  diagram,  resembling  very  much  the  diagram 
of  Fig.  24.  The  main  difference  is  that  we  replace  x,  y,  and  z  by  T(a<_3j)  (according  to 
the  node),  f  Leak ,  and  T,  respectively. 
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